Alabama CON Report – January 2025
Bradley presents its January 2025 Alabama CON Review Board Update, prepared for the firm’s healthcare clients and other interested parties. The firm’s Certificate of Need practice utilizes a cross-disciplinary team approach, involving transactional, regulatory, and government relations attorneys. Firm attorneys monitor legislative, regulatory, judicial, and administrative developments related to health planning; routinely advise clients on how these developments affect clients’ healthcare businesses; and guide clients through the requirements and regulatory hurdles for client acquisitions, development, and expansions.
Read the Report Here
California SB 923: New Trans-Inclusive Healthcare Requirements for Health Plans
Beginning in the first quarter of 2025, California healthcare service plans, health insurers, Medi-Cal managed care plans, and PACE organizations must ensure that staff who have direct enrollee contact receive evidence-based cultural competency training focused on transgender-inclusive healthcare. This requirement arises from Senate Bill No. 923 (SB 923), a law passed by the California legislature in 2022. Provider directories must also be updated by March 1, 2025, to identify which in-network providers have previously offered gender-affirming services.
SB 923 is part of a broader effort by the California legislature to require healthcare entities to improve access to culturally competent gender-affirming care for transgender, gender diverse, and intersex (TGI) individuals. This legislation builds on prior mandates requiring physicians and surgeons to complete continuing medical education (CME) courses addressing cultural and linguistic competency. The legislation expanded existing cultural competency training requirements to now require CME programs to address TGI-related health needs, thus laying a foundation for the broader system-wide changes that SB 923 compels.
While the statute sets “no later than March 1, 2025,” as the outer deadline for compliance, the California Department of Managed Health Care (DMHC) All Plan Letter (APL) 24-018 imposes an earlier deadline – February 14, 2025 – for all full-service (and certain specialized) healthcare service plans under DMHC jurisdiction to complete the required training.
Below we outline the key requirements, summarize the CME obligations already in effect, consider initial feedback from early implementation, and offer steps to help affected entities prepare for upcoming deadlines.
In Depth
NEW REQUIREMENTS FOR HEALTH PLANS, INSURERS, AND MEDI-CAL MANAGED CARE ENTITIES
SB 923 requires healthcare service plans, health insurers, Medi-Cal managed care plans, and PACE organizations to engage in workforce cultural competency training. Key training elements include:
Adopting inclusive communication techniques by using TGI-inclusive terminology and ensuring respectful, affirming interactions with TGI patients.
Addressing health disparities by explaining how family and community acceptance influence TGI patient health outcomes and integrating this understanding into care practices.
Conducting refresher course training whenever a complaint is filed and upheld against a staff member for failing to provide TGI-inclusive care and administering additional courses more frequently if needed.
Training must be provided to staff who directly interact with enrollees. This includes frontline personnel such as call center representatives, nurses, and other staff members who have contact with patients. Exempt from this training requirement are specialized healthcare service plans providing only dental or vision services and Medicare Advantage plans. Currently, SB 923 does not include any exemptions or opt-outs for staff or providers based on religious, moral, or rights of conscience objections grounds.
While SB 923’s statutory language sets an outer compliance deadline of no later than March 1, 2025, DMHC’s APL 24-018 specifies that all full-service healthcare service plans, regardless of size (and certain specialized plans other than dental or vision-only plans), must ensure that staff complete the required training by February 14, 2025. For health insurers regulated by the Department of Insurance or Medi-Cal managed care plans overseen by the Department of Health Care Services (DHCS), the statutory deadline remains March 1, 2025, unless their respective regulators issue further guidance.
In addition to initial training, DMHC’s APL requires that training be completed every two years thereafter, ensuring ongoing competency. Newly hired staff with direct enrollee contact must complete the training within 45 days of commencing employment. Health plans should also note that regulators may impose sanctions or penalties for noncompliance, reinforcing the importance of meeting these requirements.
UPDATED PROVIDER DIRECTORIES FOR GENDER-AFFIRMING SERVICES
By March 1, 2025, health plans, insurers, and Medi-Cal managed care plans must update their provider directories (as well as call center information) to identify which in-network providers have affirmed and previously provided gender-affirming services. These services might include hormone therapy, gender-confirming surgeries, gender-affirming gynecological care, or voice therapy.
ALREADY-IN-EFFECT CME REQUIREMENTS
Since 2006, curricula for CME courses in California have been required to include cultural and linguistic competency in the practice of medicine. Since 2022, CME course curricula also have been required to include the understanding of implicit bias. SB 923 amended the cultural competency portion of California’s Business and Professions Code Section 2190.1 to require that CME also include TGI health needs. The updated CME curricula should address:
Using correct names, pronouns, and gender-neutral language.
Avoiding assumptions about gender or sexual orientation.
Understanding the discrimination and barriers that TGI patients face, and how implicit bias may influence clinical decisions.
Implementing administrative changes, such as more inclusive intake forms, to create a welcoming care environment.
Cultural competency, including TGI-specific elements, and implicit bias training are not necessary for CME courses offered outside of California to California-licensed physicians and surgeons or as part of CME courses dedicated solely to research or other non-clinical issues lacking a direct patient care component.
IMPLEMENTATION STATUS OF SB 923 CME REQUIREMENTS
Since the TGI-focused CME requirements took effect in 2023, some larger health systems have begun integrating targeted training modules while smaller practices have struggled to find suitable specialized resources. According to the California Association of Health Plans, questions remain about how these training standards will align and be enforced across various health plans and delegated entities. Despite these uncertainties, incremental progress continues. As more healthcare organizations develop approved training resources and toolkits, accessibility and overall cultural competency likely will improve.
PRACTICAL STEPS FOR COMPLIANCE
For Healthcare Providers: Integrate the updated CME modules into existing physician education, revise administrative materials (intake forms, electronic medical records) to reflect inclusive language, and ensure all frontline staff are trained in respectful, TGI-inclusive communication.
For Health Plans and Insurers: Implement TGI-focused training as specified by DMHC: for full-service healthcare service plans, by February 14, 2025, and for other regulated entities, by the statutory deadline. Update provider directories to highlight gender-affirming providers by March 1, 2025, and establish effective complaint and grievance tracking to ensure accountability. With respect to ERISA-governed self-insured group health plans, SB 923 does not provide an express exception. However, ERISA typically preempts state laws that attempt to regulate employee benefit plans, although fully insured plans are generally subject to state insurance laws and would likely need to comply with SB 923. A plan that is not fully insured or regulated by the California DMHC would generally not need to comply. As of the publication date, we are unaware of any ERISA preemption challenges to SB 923. Some group health plan sponsors may wish to proceed with compliance and continue to watch for any updates.
For Medi-Cal Managed Care Plans and PACE Organizations: Follow guidance issued by regulators, such as the DHCS Policy Letter 24-03, to implement required training, keep provider directories current with gender-affirming providers, and report TGI-related complaints. In addition, remain alert for further instructions from regulators and prepare to incorporate the required standards.
LOOKING AHEAD
When SB 923 was initially debated, some stakeholders opposed the legislation based on religious liberty and rights of conscience grounds, arguing that SB 923’s training mandates amount to unconstitutional compelled speech. However, a recent decision by the US District Court for the Central District of California in Khatibi v. Hawkins suggests that courts may uphold SB 923 as a form of government speech. The case involved a challenge to the implicit bias training requirement because some CME lecturers felt that their First Amendment rights were being violated. The court observed that “[s]tate-mandated curriculum requirements for CME courses necessary for state licensure constitutes government speech because when physicians . . . choose to teach CME courses for credit, they ‘speak for the state.’” (Khatibi v. Hawkins, No. 2:23-cv-06195-MRA-E, 2024 WL 3802523 (May 2, 2024)). The matter is currently under appeal to the US Court of Appeals for the Ninth Circuit.
CONCLUSION
SB 923 represents continued efforts by California toward ensuring that TGI patients receive respectful, informed, and affirming healthcare. With CME requirements already in effect and a range of new mandates, including system-wide training for health plans, updated provider directories, complaint tracking, and eventual quality standards, entities face a multifaceted compliance landscape. DHCS Policy Letter 24-03 and DMHC APL 24-018 provide clarity and actionable guidance, and both reflect the recommendations issued by the Transgender, Gender Diverse, or Intersex Working Group convened under SB 923’s mandate. Formal regulations under SB 923 will be adopted by July 1, 2027, but as the February and March 2025 deadlines approach, stakeholders should proactively implement training, update administrative practices, maintain transparent patient engagement, and follow the newly issued DHCS and DMHC directives.
Navigating New York’s Proposed Cost Market Impact Review
In January 2025, New York Governor Kathy Hochul proposed legislation within her FY 2026 Executive Budget that could significantly reshape healthcare transactions in the state. This legislation introduces a “Cost Market Impact Review” (CMIR) process for material transactions involving healthcare entities, aiming to assess their effects on cost, quality, access, health equity, and competition. While the proposal has sparked conversations across the healthcare and private equity sectors, it offers a pivotal opportunity for strategic planning and collaboration if approached with foresight.
At its core, the CMIR process signals a broader regulatory shift prioritizing transparency and accountability in healthcare transactions. Under the proposed legislation, healthcare entities contemplating material transactions would face an extended pre-closing notice period, new annual reporting obligations, and the potential for lengthy delays due to comprehensive reviews by the New York Department of Health (DOH). For stakeholders, this represents both a challenge and an opportunity to align transactions with the state’s goals of improving healthcare outcomes and equity while ensuring compliance.
Understanding the Proposal’s Scope and Ambiguities
The legislation’s potential impact hinges on several undefined terms, such as what constitutes a “healthcare entity,” “material transaction,” and “de minimis exception.” Currently, healthcare entities broadly include physician practices, health systems, insurers, and management services organizations, among others. The law would apply to transactions that increase a healthcare entity’s gross in-state revenues by $25 million or more. However, how “in-state revenues” are calculated remains ambiguous, leaving room for interpretation.
The proposed legislation also empowers the DOH to require extensive documentation during its preliminary review and potential CMIR. While these measures aim to protect patients and communities by fostering competition and health equity, they may add layers of complexity and delay to transactions, particularly for private equity sponsors and healthcare systems accustomed to more streamlined processes.
Strategic Planning Amid Heightened Scrutiny
Private equity firms, hospital systems, and other stakeholders must adopt proactive strategies to address these regulatory changes. Given the increased focus on healthcare transaction transparency, due diligence will need to evolve. It will no longer suffice to simply evaluate the financial viability and operational synergies of a deal. Instead, stakeholders must incorporate a detailed assessment of a transaction’s impact on access, quality, and equity, as perceived by regulators.
This requires tailoring transaction structures to align with New York’s healthcare priorities. For instance, parties might emphasize commitments to underserved communities, bolster access to primary care, or invest in workforce development as part of their transaction narratives. Doing so not only mitigates regulatory risk but also positions the transaction as a partnership with the state in achieving shared healthcare goals.
Implications for Private Equity and Healthcare Systems
For private equity firms, the proposed legislation underscores the importance of long-term planning in healthcare investments. Firms will need to engage legal and regulatory experts early to navigate the complexities of compliance. Moreover, these firms should be prepared to articulate how their transactions contribute to innovation and sustainability in healthcare delivery.
Healthcare systems, on the other hand, may face challenges balancing transaction timelines with regulatory compliance. However, this moment also presents an opportunity for hospital systems to demonstrate leadership in addressing cost and quality challenges. By proactively engaging with state regulators, healthcare systems can set a collaborative tone, shaping CMIR outcomes in their favor.
Opportunities Amid Challenges
While the CMIR process may lengthen transaction timelines and require more robust documentation, it also opens the door for stakeholders to differentiate themselves. Transactions that clearly address New York’s objectives—whether by improving access to care, addressing social determinants of health, or enhancing health equity—will likely stand out in the regulatory process.
Furthermore, the proposal encourages healthcare entities to think beyond traditional metrics of success. Transactions that integrate advanced data analytics, innovative care models, or population health initiatives may not only meet regulatory requirements but also unlock new avenues for growth and patient impact.
Looking Ahead
The proposed legislation reflects a growing trend across the U.S., where states are increasingly scrutinizing healthcare transactions to ensure alignment with public policy goals. Massachusetts and Indiana have introduced similar requirements, and other states may follow suit. As such, the New York proposal serves as both a cautionary tale and a roadmap for stakeholders navigating this evolving landscape.
For private equity firms, hospital systems, and other healthcare stakeholders, now is the time to adapt. This means not only preparing for regulatory compliance but also embracing a more collaborative approach to transactions. By aligning with state priorities, stakeholders can turn regulatory challenges into opportunities to drive meaningful, sustainable change in healthcare delivery.
The road ahead requires careful navigation, but the potential rewards—improved healthcare outcomes, stronger partnerships with regulators, and enhanced community impact—make the journey worthwhile.
Listen to this article
Massachusetts Expands Oversight of Private Equity Investment in Healthcare: Key Takeaways from House Bill 5159 Signed into Law by Governor Healey
On January 8, 2025, Massachusetts Governor Maura Healey signed House Bill 5159 (“H.5159”) into law, marking a notable expansion of the regulation of private equity investments within the Massachusetts healthcare sector. The legislation, set to take effect on April 8, 2025, introduces new measures to enhance transparency and accountability in healthcare transactions, focusing specifically on private equity firms, real estate investment trusts (“REITs”), and management services organizations (“MSOs”). This development also reflects a broader trend across the nation of increasing scrutiny of healthcare transactions and investments by private equity firms and other investors, as highlighted in our previous blog series on California’s Assembly Bill 3129.[i]
Key Provisions of H.5159
The enactment into law of H.5159 increases oversight of healthcare transactions in Massachusetts in several ways:
1. Expanded Definition of Material Changes Requiring Notice to the Massachusetts Health Policy Commission and Potential for Further Delays to Closing
Pre-existing Massachusetts law mandates that healthcare providers and provider organizations, including physician practices, healthcare facilities, independent practice associations, accountable care organizations, and any other entities that contract with carriers for the payment of healthcare services, with more than $25 million in Net Patient Service Revenue[ii] in the preceding fiscal year must submit a Material Change Notice (“MCN”) to the Massachusetts Health Policy Commission (“HPC”), Center for Health Information and Analysis (“CHIA”), and Office of the Attorney General at least 60 days prior to a proposed “material change” involving such entity.
Before H.5159 was enacted, the definition of “material change” already encompassed several types of transactions involving healthcare providers and provider organizations with more that $25 million in Net Patient Service Revenue, requiring them to submit an MCN to the Massachusetts HPC, CHIA, and Office of the Attorney General. These include:
A merger, acquisition, or affiliation between a healthcare Provider and an insurance carrier;
A merger, acquisition, or affiliation involving a hospital or hospital system;
Any acquisition, merger, or affiliation that results in an increase of $10 million or more in annual net patient service revenue, or grants the Provider or Provider Organization near-majority market share in a specific service or geographic area;
Clinical affiliations between two or more Providers or Provider Organizations with annual net patient service revenue of $25 million or more, excluding affiliations solely for clinical trials or medical education purposes; and
The formation of new entities such as joint ventures, MSOs, or accountable care organizations that contract with insurers or other administrators on behalf of healthcare Providers.
H.5159 notably broadens the definition of “material change” to include also:
Transactions involving a Significant Equity Investor that result in a change of ownership or control of a Provider or Provider Organization;
“Significant” acquisitions, sales, or transfers of assets, including, but not limited to, real estate sale-leaseback arrangements;
“Significant expansions” in a Provider or Provider Organization’s capacity;
Conversion of nonprofit Providers or Provider Organizations to for-profit entities; and
Mergers or acquisitions of Provider Organizations that will result in the Provider Organization having a dominant market share in a service or region.
The term “Significant Equity Investor” is broadly defined to include: (i) any private equity firm holding a financial interest in a Provider, Provider Organization, or MSO; and (ii) any investor, group of investors, or entity with ownership of 10% or more in such organizations. The definition specifically excludes venture capital firms solely funding startups and other early-stage businesses.
While the law expands the definition of “material change” to encompass the categories listed above, it does not explicitly define what constitutes a “significant acquisition,” “significant expansion,” or “change of ownership or control.” As of now, these terms are left to be clarified by the HPC through further regulation and guidance. Stakeholders should monitor future regulatory updates from the HPC to understand the specific thresholds for these types of transactions.
If the HPC determines within 30 days of receiving a complete MCN that a “material change” may significantly affect Massachusetts’ ability to meet healthcare cost growth benchmarks or impact market competition, the HPC can initiate a Cost and Market Impact Review (“CMIR”). This process requires detailed submissions from transaction parties and significantly extends the transaction timeline to close a deal.
The amended law also enhances the HPC’s information-gathering capabilities, authorizing the HPC to request detailed data on Significant Equity Investors, including financial data and capital structure information. Additionally, the HPC can now monitor and collect information on post-transaction impacts for up to five years following a material change. While nonpublic information submitted to the HPC remains confidential, the filed MCN and the completed CMIR report will be publicly available on the HPC’s website.
Although the HPC cannot directly prohibit a transaction or impose conditions, it can refer its CMIR findings to the Massachusetts Attorney General, Massachusetts Department of Public Health (“DPH”), or other state agencies for further action.
2. Investors May be Called as Witnesses at Annual Public Hearings
H.5159 authorizes the HPC to assess the impact of Significant Equity Investors, healthcare REITs, and MSOs on healthcare costs, prices, and cost trends. HPC is empowered to call a representative sample of these investors to testify at its annual public hearings under oath. The Attorney General may intervene in these hearings, ensuring rigorous oversight and accountability.
3. Annual Financial Reporting Requirements
Certain Provider Organizations are already required to register with the HPC (“Registered Provider Organizations”) and submit annual reports to the CHIA. To be subject to the registration requirement, a provider organization must meet at least one of the following criteria: (a) annual net patient service revenue from private carriers or third-party administrators of at least $25 million in the prior fiscal year; (b) a patient panel of more than 15,000 over the past 36 months; or (c) classification as a risk-bearing provider organization, regardless of revenue or panel size. This includes, but is not limited to, physician organizations, independent practice associations, accountable care organizations, and provider networks.
H.5159 expands reporting obligations for Registered Provider Organizations to include detailed information about the Registered Provider Organization’s Significant Equity Investors, healthcare REITs, and MSOs. It also clarifies that Registered Provider Organization financial statements must cover parent entities’ out-of-state operations and corporate affiliates. Additionally, the amended law authorizes the state to require quarterly submissions from Registered Provider Organizations with private equity involvement. These submissions may include audited financial statements, structure charts, margins, investments, and relationships with investor groups. Organizations must also report on costs, annual receipts, realized capital gains and losses, accumulated surplus, and reserves. The HPC will monitor prior transactions and investments for up to five years and notify organizations of future reporting deadlines as needed.
4. Penalties for Noncompliance with Reporting Requirements
H.5159 imposes stricter penalties for failing to submit required financial reports. Entities missing reporting deadlines may face fines of up to $25,000 per week after a two-week grace period, with no annual penalty cap. This is a substantial increase from prior penalties, which were capped at $50,000 annually.
5. Expanded Authority for the Attorney General
The Massachusetts Attorney General is authorized to review and analyze any information submitted to CHIA by a provider, provider organization, Significant Equity Investor, health care REIT, MSO or payer. The Attorney General may compel such entities to produce documents, answer interrogatories, or provide testimony under oath concerning healthcare costs, cost trends, and the relationship between provider costs and payer premiums.
The Attorney General may disclose such information during HPC annual public hearings, rate hearings before the Division of Insurance, and legal proceedings because the law deems such information to be in the public interest.
6. Expanded Massachusetts False Claims Act Liability
H.5159 amends the Massachusetts False Claims Act (the “MA FCA”), which is broader in scope than the Federal False Claims Act, to expand liability to entities holding an “ownership or investment interest” in a person or entity violating the MA FCA. Specifically, private equity owners and other investors who are aware of a violation and fail to report and remedy it within 60 days of discovery may be held liable. The law codifies this expanded accountability, explicitly including investor groups among those who can be held responsible for untimely reporting violations. Additionally, the amendments clarify the Attorney General’s authority to issue civil investigative demands to healthcare entities and investor groups.
Notable Exclusions from Earlier Proposals
H.5159 reflects several compromises that were made during the legislative process, resulting in a more moderate version compared to earlier proposals. The process began in May 2024 with the introduction of House Bill 4653, followed by Senate Bill 2871 in July 2024.[iii] Senate Bill 2871 included stricter requirements than those in House Bill 4653, but lawmakers struggled to reconcile the differences before the legislative session deadline on July 31, 2024. This stalemate led to renewed efforts in December 2024, which ultimately resulted in the passage of H.5159.
While H.5159 carries forward many of the provisions from the earlier bills, it also removes certain measures that stakeholders had identified as too burdensome, as outlined below. These exclusions include:
Restrictions on Practice Ownership and Clinical Decision Making: provisions explicitly codifying restrictions on healthcare practice ownership and prohibiting MSOs or other healthcare entities from exerting control over clinical decisions were omitted.
Boundaries Between MSOs and Physician Practices: H.5159 also excludes specific boundaries that were previously proposed to regulate the relationship between physician practices and MSOs, including restrictions on MSOs exerting ultimate control over the finances of healthcare practices and limitations on stockholders’ ability to transfer, alienate, or exercise discretion over their ownership interests in the practices.
Maximum Debt-to-EBITDA: A provision that would have allowed the Massachusetts HPC to set a maximum debt-to-EBITDA ratio for provider organizations with private equity investors was removed from the final bill that was signed into law.
Bond Requirements for Private Equity Firms: H.5159 does not include the previously proposed requirement that private equity firms deposit a bond with the DPH when submitting an MCN, including when acquiring a provider organization.
Conclusion
The passage of H.5159 represents a pivotal moment in Massachusetts’ efforts to regulate investment in health care. It also reflects, however, a compromise that did not impose even more stringent requirements that were set to impact providers, provider organizations, and investors.
Investors, including private equity firms, and healthcare providers and provider organizations, will need to adapt to the enhanced oversight mechanisms and implement more thorough due diligence practices to ensure transparency and avoid penalties for non-compliance. Pre-transaction, this includes ensuring thorough documentation and proactive engagement with regulatory authorities. Post-transaction, entities must implement systems to track and report required financial and operational data accurately and on time.
As H.5159 takes effect, we will continue to monitor and report on any further regulatory updates, particularly those concerning the HPC’s development of regulations to implement this law.
FOOTNOTES
[i] Update: Governor Newsom Vetoes California’s AB 3129 Targeting Healthcare Private Equity Deals | Healthcare Law Blog (sheppardhealthlaw.com), published October 2, 2024, Update: AB 3129 Passes in California Senate and Nears Finish Line | Healthcare Law Blog (sheppardhealthlaw.com), published September 6, 2024, California’s AB 3129: A New Hurdle for Private Equity Health Care Transactions on the Horizon? | Healthcare Law Blog (sheppardhealthlaw.com), published April 18, 2024, and Update: California State Assembly Passes AB 3129 Requiring State Approval of Private Equity Healthcare Deals | Healthcare Law Blog (sheppardhealthlaw.com), published May 30, 2024.
[ii] Net Patient Service Revenue refers to revenue received for patient care from third-party payers, net of contractual adjustments, with distinctions depending on the type of Provider or Provider Organization. For hospitals, it must comply with Massachusetts General Laws Chapter 12C, Section 8, requiring standardized reporting of gross and net revenues, including inpatient and outpatient charges, private sector charges, payer mix adjustments, and revenue from additional services. For other providers and provider organizations, it includes all revenue from third-party payers, prior-year settlements, and premium revenue (per-member-per-month payments for comprehensive healthcare services). 950 CMIR 7.00.
[iii] See our prior blog for background on Senate Bill 2871: Massachusetts Senate Passes Bill to Increase Oversight of Private Equity Healthcare Transactions | Healthcare Law Blog
Listen to this post
New York’s Proposed Health Information Privacy Act Takes Aim at Digital Health Companies
The New York Health Information Privacy Act (NYHIPA), if enacted, could create a chilling effect on patient access and engagement to readily available digital health care services relied upon by New Yorkers. Digital health companies will likely struggle to maintain patient engagement and care coordination and will almost certainly face hurdles in improving their products and services due to the financial and operational burdens created by NYHIPA.
As of January 23, 2025, the NYHIPA had passed both the New York Senate and Assembly and will be routed to the Governor for possible signature. If enacted, the NYHIPA would significantly impact how digital health companies collect, disclose, and use consumer health information in New York.
Who is regulated?
As currently drafted, NYHIPA will be applicable to any health care organization with patients or customers that have a connection to New York.
Specifically, NYHIPA would apply to any entity that:
controls the processing of regulated health information of a New York resident,
controls the processing of regulated health information of an individual who is physically present in New York while that individual is in New York, or
is located in New York and controls the processing of regulated health information.
The entity-level exemptions are limited as compared to other consumer data privacy laws. HIPAA-covered entities are exempt but only to the extent the entity maintains patient information in the same manner as HIPAA-protected health information. Although traditional medical records maintained by HIPAA-covered entities will likely be exempt, personal information collected early in the user workflow will likely be governed by NYHIPA and subject to the strict authorization requirements discussed below prior to any processing by a regulated entity — unless the entity is a HIPAA-covered entity and treats that information as HIPAA- protected health information.
What information is regulated?
NYHIPA seeks to regulate any and all information that could be linked to health or wellness, including device data. The information regulated is any information that is reasonably linkable to an individual or a device, collected or processed in connection with the physical or mental health of an individual, including location or payment information that relates to an individual’s physical or mental health or any inference drawn or derived about an individual’s physical or mental health that is reasonably linkable to an individual or a device. HIPAA-protected health information and deidentified information would be exempt from regulation.
What are the processing restrictions?
“Processing” would need to be narrowly tailored to the specific product or service requested by an individual, unless an explicit authorization is obtained. Processing, as defined under NYHIPA, generally means any operation performed on health information, including the collection, use, disclosure, access, sale, sharing, creation, generation, or deidentification of health information.
Regulated entities cannot process health information unless:
the individual has provided an authorization; or
the processing is strictly necessary for certain enumerated purposes, including providing or maintaining a specific product or service requested by such individual or conducting the regulated entity’s internal business operations.
Most importantly, and what will surely cause angst within the digital health community, internal business operations expressly exclude any activities related to marketing, advertising, research and development, or providing products or services to third parties without explicit authorization from the individual authorizing such activities.
When can an authorization be obtained and what must the authorization include?
NYHIPA will prohibit an authorization from being obtained from an individual for 24 hours after account creation or first use of the product or service. Opt-in consent will not be enough, as individuals will be required to obtain explicit authorization for each activity not deemed strictly necessary to the products or services requested by the individual.
The authorization must
be made separately from any part of a transaction;
(ii) be made at least 24 hours after the individual creates an account or first uses the requested product or service; and
allow the individual to provide or withhold authorization separately for each category of processing activity, among other requirements.
For individuals who have an online account with the entity – which will be the case for most digital health companies – the regulated entity must provide, “in a conspicuous and easily accessible place within the account settings,” a list of all processing activities for which the individual has provided authorization and, for each processing activity, allow the individual to revoke authorization in the same place “with one motion or action.” Entities cannot make a product or service contingent on providing authorization and cannot discriminate against an individual for withholding authorization, such as by charging different prices for products or services, including through the use of discounts or other benefits.
Is a privacy notice required?
NYHIPA would require a privacy notice if a regulated entity processes health information for a permissible purpose without an authorization. The notice would need to include the information processed, the nature of the processing activity, the “specific purposes” for such processing, names or categories of service providers and third parties to whom information is disclosed and the purpose of the disclosure, and the mechanism by which the individual may request access to and deletion of their health information. Notably, if the regulated entity materially alters its processing activities, the regulated entity would need to provide a clear and conspicuous notice, separate from a privacy policy, terms of service, or similar document, that describes any material changes to the processing activities and provide the individual with an opportunity to request deletion of the individual’s health information. Note that unlike other consumer data privacy laws, the only exception to the deletion requirement under NYHIPA as proposed allows retention “to the extent necessary to comply with the regulated entity’s legal obligations.”
What are other key requirements digital health companies should be aware of?
NYHIPA will require service providers to segregate health information by regulated entity. Regulated entities would need to enter into a written agreement with service providers. The required terms for those agreements generally look similar to other consumer data privacy laws. However, NYHIPA also requires that the service provider:
not combine the health information which the service provider receives from or on behalf of the regulated entity with any other personal information which the service provider receives from or on behalf of another party or collects from its own relationship with individuals; and
(ii) notify the regulated entity “a reasonable time in advance” before sharing health information with any further service providers.
All websites and communications would need to be reasonably accessible to individuals with disabilities and available in languages in which the regulated entity provides information via its website and services.
When could this law be effective and what are the possible penalties?
NYHIPA would go into effect one year after the bill is signed into law.
The New York Attorney General would have authority to enforce the law, including civil penalties of the greater of $50,000 per violation or 20% of the revenue obtained from New York consumers within the past fiscal year, among other remedies. The Attorney General also has authority to promulgate implementing rules and regulations.
What are the practical impacts of NYHIPA?
NYHIPA will pose significant financial and operational hurdles to digital health companies. Regulated entities would be required to upgrade websites and user workflows for each of the processing activities for which the regulated entity would seek authorization from an individual, as well as any necessary upgrades to meet the new accessibility requirements. The 24-hour moratorium on requesting authorization will effectively create a barrier to activities that improve the patient experience, engagement, and education. Service providers will experience financial impact as a result of implementing the requirements to segregate each regulated entity’s health information. Finally, NYHIPA will require digital health companies to comply with yet another state consumer privacy law that materially differs from other state privacy laws.
What digital health companies should do next?
NYHIPA has passed both legislative houses and only awaits the Governor’s signature to become law. As noted above, the effective date for the law would be one year after signature by the Governor. That one-year period is an incredibly short time for digital health companies to implement the changes that would be required to comply with NYHIPA. Therefore, if enacted, digital health companies with patients or customers in New York should immediately begin planning for compliance with NYHIPA.
Health care data privacy continues to rapidly evolve. Thus, digital health companies should closely monitor any new developments and continue to take necessary steps towards compliance.
Supreme Court of Ohio Affirms Denial of Healthcare Service Provider’s Commercial Activity Tax Refund Claim
The Supreme Court of Ohio upheld the denial of Total Renal Care, Inc.’s (“TRC”) refund claim of Ohio Commercial Activity Tax (“CAT”) that it paid on services that it performed outside of Ohio. Total Renal Care Inc. v. Harris, Slip Op. No. 2024-Ohio-5685 (Ohio Dec. 9, 2024).
The Facts: TRC, a subsidiary of DaVita, Inc., provides dialysis to patients with kidney disease and end-stage renal disease. Dialysis treatments are administered at locations throughout the United States, including in Ohio. In addition to dialysis services, TRC provides laboratory testing services and administrative services, such as back-office support, data processing, and procuring medical equipment and supplies. TRC conducts these services in a number of states outside of Ohio.
For the years at issue, TRC originally paid CAT on all gross receipts it received from locations in Ohio where dialysis was provided. TRC subsequently filed refund claims and asserted that a portion of those gross receipts were related to its laboratory and administrative services, which were performed outside of Ohio.
The Ohio Tax Commissioner denied TRC’s refund claims, and the Ohio Board of Tax Appeals (the “Board”) affirmed. TRC appealed the Board’s decision to the Supreme Court of Ohio.
The Law: The CAT is imposed on “each person with taxable gross receipts for the privilege of doing business in [Ohio].” The statute defines “taxable gross receipts” as receipts with an Ohio situs and provides that receipts from services are sitused to Ohio in the proportion that the purchaser received the benefit of the service in Ohio.
Ohio’s Administrative Code governing situsing receipts provides “the physical location where the purchaser ultimately uses or receives the benefit of what was purchased is paramount in determining the proportion of the benefit received in Ohio.” The Administrative Code lays out a standard specific to healthcare services, which indicates that gross receipts from healthcare services are sitused to Ohio if the healthcare services are performed there.
The Decision: The Supreme Court of Ohio ultimately affirmed the Board’s decision, concluding that patients who received TRC’s dialysis treatment in Ohio received the benefits of such treatment there. The court focused its analysis on TRC’s provision of dialysis because TRC conceded that “the only service it provides to its patients is dialysis[.]” And it admitted that the laboratory and administrative functions “exist solely for its provision of dialysis services to patients in Ohio.” The court found that TRC’s laboratory and administrative services were not provided on a stand-alone basis and were only ancillary to providing dialysis treatment. Thus, the court concluded that the gross receipts at issue were from the provision of dialysis services, not the provision of dialysis, laboratory, and administrative services.
The court analyzed the facts under both the statutory language and the administrative rules and concluded, under either application, the result was the same. In applying the statute, the court stated “[w]hen determining the location to which gross receipts should be sitused, the taxing authority must look at the location where the purchaser benefited from the purchased service,” and indicated that the purchaser’s physical location is “paramount” to this inquiry. Applying this interpretation to TRC’s facts, the court held that patients who received dialysis in Ohio benefited from such treatment there. In applying the administrative rules, the court stated “if a healthcare service is provided entirely in Ohio, then the entirety of the receipts for that service are sitused to Ohio.” Applying this interpretation to TRC’s facts, the court held that the healthcare service TRC provided was dialysis and such service was provided entirely in Ohio.
Accordingly, the court held that TRC’s gross receipts it received from locations in Ohio where it provided dialysis should be sitused entirely to Ohio.
A Primer on Executive Orders and a Preview of the Road Ahead
On January 20, 2025, a new administration took control of the Executive Branch of the federal government, and it has signaled that it will make aggressive use of executive orders.
This would be a good time to review the scope of executive orders and how they may affect employers and health care organizations.
Executive orders are not mentioned in the Constitution, but they have been around since the time of George Washington. Executive orders are signed, written, and published orders from the President of the United States that manage and direct the Executive Branch and are binding on Executive Branch agencies. Executive orders can be used to implement or clarify existing federal law or policies and can direct and manage the way federal agencies interact with private entities. However, executive orders are not a substitute for either statutes or regulations.
The current procedure for implementing executive orders was set out in a 1962 executive order that requires that all such orders must be published in the Federal Register, the same publication where executive agencies publish proposed and final rules. Once published, any executive order can be revoked or modified simply by issuing a new executive order. In addition, Congress can ratify an existing executive order in cases where the authority may be ambiguous.
Although the President has extensive powers under Article II of the Constitution, that does not necessarily mean that executive orders can be issued and enforced on a whim. Over time, federal courts have reviewed executive orders and typically base their decisions on three questions: (1) has Congress delegated any authority to the President to act through an executive order?; (2) if so, what is the scope of any delegation?; and (3) did the President act within the scope of that delegation?
In a seminal case, Youngstown Sheet & Tube Co. v. Sawyer, 343 U.S. 579 (1952), the Supreme Court reviewed an executive order signed by President Truman directing the Secretary of Commerce to take possession of and operate most of the nation’s steel mills to prevent a strike from disrupting steel production during the Korean War. On appeal, the Court ruled that the executive order was not authorized under the Constitution or any statute, and that the President lacked any legislative power. It also rejected the argument that the President had an implied authority to issue the executive order under the military powers delegated to the President, as that did not extend to labor disputes.
More recently, during the COVID-19 pandemic, an executive order used the authority delegated in the Defense Production Act to address potential national defense and food supply disruptions. Nevertheless, deference to an executive order should not be presumed. Yet, even at the height of the pandemic, the Sixth Circuit ruled that the President lacked the authority to issue an executive order mandating that federal contractors be vaccinated against the COVID virus. In Kentucky v. Biden, 23 F.4th 585 (6th Cir. 2022), the Sixth Circuit ruled that the President’s reliance on the Federal Property and Administrative Services Act of 1949 (“FPASA”) was misplaced and did not authorize issuing an executive order binding on federal contractors; it determined that the act’s goal of improving economy and efficiency in federal procurement of property and services applied to the government itself and did not extend to issuing directives that may “improve the efficiency of contractors and subcontractors.”
The question of a delegation of authority to a President is not necessarily solved with an executive order directing an agency to issue regulations. For example, President Biden signed an executive order directing the Secretary of Labor to publish regulations setting a minimum wage of $15 per hour for federal contractors, based on his reading of FPASA. The regulations were challenged, and two Courts of Appeal reached opposite conclusions. In Bradford v. U.S. Dep’t of Labor, 101 F.4th 707 (10th Cir. 2024) the Tenth Circuit ruled that Congress had delegated broad authority under FPASA to the President in the language setting out the act’s purpose, and that he was justified in determining that a $15 minimum wage was consistent with the act’s goals. Nevertheless, in State of Nebraska v. Su, 121 F.4th 1 (9th Cir. 2024), the Ninth Circuit determined that the minimum wage mandate did exceed the authority granted to the President and the Department of Labor. That decision relied on a narrow reading of FPASA, and concluded that the intent of the statute was limited to ensuring that the federal government received value in contracts with private entities, and that setting a minimum wage for the employees of those contractors fell outside the reach of FPASA. Although there was a clear split among the circuits, the Supreme Court declined to resolve the matter. For now, disputes involving executive orders may have to be resolved on a case-by-case basis.
In the future, employers and health care organizations that supply goods or services to federal agencies or federally-funded programs should be concerned that if there are executive orders that affect their business, those orders should be examined carefully to evaluate not only the content of those orders, but whether they are authorized by law. EBG intends to monitor these developments along with any relevant rulemaking by federal agencies.
Healthcare Policy Options to Reduce the Deficit
The Trump Administration and 119th Congress will likely be targeting trillions of dollars in savings in the year ahead. Healthcare makes up a significant portion of mandatory spending and therefore likely will be a large part of any cost-reduction effort. At the top of the list is Medicaid. Proposals could run the gamut, from changes in Medicaid provider tax rules to changes in eligibility requirements, per capita caps, and work requirements. Medicare cuts are also likely. While President Trump has taken cuts to Medicare benefits off the table, payment policies under consideration including Medicare site neutral payment reforms, 340B reform, and changes in Medicare Advantage (MA) payments.
We’ve compiled a list of possible healthcare options that could contribute to the cuts Republicans aim to make, including a sampling of the key healthcare policy options the Congressional Budget Office identified in its recent report titled “Options for Reducing the Deficit: 2025 to 2034.”
READ MORE
HHS-OIG Issues Favorable Opinion on Free Vaccines Offered by Drug Manufacturer to Patients Receiving Its Treatments
Highlights
A favorable opinion from HHS-OIG involves a drug manufacturer covering the costs of meningococcal vaccines for patients with increased risk of infections due to the manufacturer’s drug treatments
The HHS-OIG found the proposed arrangement improved patient safety and access to treatment for several different rare disorders
The proposed arrangement included several factors that limited risk under the CMP and Anti-Kickback Statutes
The U.S. Department of Health and Human Services’ Office of Inspector General (HHS-OIG) recently released Advisory Opinion 24-11, a favorable opinion regarding the federal Anti-Kickback Statute (AKS) and civil monetary penalty laws against beneficiary inducements (CMP) as applied to free meningococcal vaccines provided by a drug manufacturer for patients who receive its treatments. The advisory opinion was requested by the manufacturer of infusion treatments for rare disorders whose treatments greatly increase a patient’s risk of meningococcal infections.
Due to various barriers faced by patients in obtaining recommended meningococcal vaccines prior to treatment, the drug manufacturer proposes to provide free vaccines to patients that: 1) have been prescribed one of the manufacturer’s treatments, 2) enroll in the manufacturer’s patient support program, and 3) have a prescription for a meningococcal vaccine (or vaccines). The patients will receive the vaccines after the manufacturer ships the vaccines to a third-party vendor contracted with the manufacturer, or the patient’s healthcare provider.
If the third-party vendor administers the vaccines, it will not bill any federal healthcare programs or third-party payors for any costs associated with vaccine administration. If the patient’s healthcare provider administers the vaccines, the provider must attest it will not bill any payor for the cost of the vaccines. However, they may still bill an administration fee of approximately $20 to the federal healthcare programs and other payors.
The HHS-OIG concluded the proposed arrangement implicated both the AKS and CMP and would not fall directly within any exception or safe harbor. However, the agency decided the risk of fraud and abuse is sufficiently low and it would not impose sanctions in connection with the proposed arrangement.
The HHS-OIG cited the following factors as limiting the possibility for fraud and abuse:
The proposed arrangement’s chief value to patients is in the form of convenience and safety rather than in the form of financial value because, even absent the proposed arrangement. Medicare enrollees would not incur out-of-pocket expenses related to the vaccinations.
The proposed arrangement is unlikely to result in inappropriate additional costs to federal healthcare programs because the vaccines are not billed to any payors, and healthcare providers administering the vaccines only bill federal healthcare programs for a nominal administration fee.
To the extent those administration fees increase costs to federal healthcare programs, those are costs that the government – through the Food and Drug Administration (FDA) – has actively encouraged in its Risk Evaluation and Mitigation Strategy (REMS) with Elements to Assure Safe Use (ETASU) requirements.
The proposed arrangement would likely lower the costs incurred by federal healthcare programs because the vaccines are provided for free by the manufacturer.
The nominal administration fee is unlikely to motivate a provider to order more products from the manufacturer.
In most cases, the provider ordering one of the manufacturer’s treatments is not the same provider who administers the vaccine, so the administration fee is not likely to corrupt the medical decision-making of the ordering provider.
The manufacturer does not provide any additional free treatment which could influence a patient to select and receive the manufacturer’s drugs.
As a result, the HHS-OIG determined the proposed arrangement was low risk and it would not impose sanctions on the drug manufacturer in connection with the arrangement.
Takeaways
This opinion, like several previous opinions, continues to demonstrate leniency by the HHS-OIG toward arrangements that improve patient safety and access to patient care without significant risks of fraud and abuse. Drug manufacturers should continue to revisit and review their patient support programs in light of the guidance provided in these opinions.
Tenth Circuit Clarifies When the Door for Individual Liability Under the FMLA Is Opened
On January 14, 2025, the U.S. Court of Appeals for the Tenth Circuit ruled in Walkingstick Dixon v. Oklahoma Regional University System Board of Regents that the Family and Medical Leave Act (FMLA) permits actions against individuals in limited circumstances when the individual qualifies as an “employer” under the “economic reality test.”
Quick Hits
The Tenth Circuit affirmed the lower court’s application of the economic reality test to determine whether an individual qualifies as an “employer” and thus may be subject to individual liability under the FMLA.
In doing so, the Tenth Circuit joined the Second, Third, and Eighth Circuits in holding that the FMLA permits claims for individual liability.
Although the Tenth Circuit concluded that a supervisor can be subject to liability under the FMLA, plaintiffs will have difficulty establishing individual liability under the economic reality test.
Summary
The FMLA permits eligible employees to take leave for serious health conditions and prohibits employers from retaliating against employees for doing so. The FMLA defines “employer” to “include[] … any person who acts, directly or indirectly, in the interest of an employer to any of the employees of such employer.”
In Walkingstick Dixon, a former state university employee brought sex and race discrimination and retaliation claims under Title VII of the Civil Rights Act of 1964, as well as a retaliation claim under the FMLA against her former supervisor. The lower court granted summary judgment for the employee’s supervisor on the employee’s FMLA retaliation claim. In doing so, the lower court noted that while the Tenth Circuit had not yet decided whether individuals could be liable under the FMLA, the statute’s plain language and the consensus of Tenth Circuit lower courts supported individual liability so long as an employee could “affirmatively establish” that a supervisor was an employer under the economic reality test.
The economic reality test asks whether an alleged employer possesses the power to control the individual in question. In applying the economic reality test, the lower court recognized that the supervisor had input into the termination decision and supervised and controlled the employee’s work schedule as well as the conditions of her employment. However, the court concluded that the supervisor did not satisfy the FMLA’s definition of “employer” because he could not have discharged the employee on his own, did not maintain the employee’s employment records, and could not approve or deny her FMLA leave requests.
The Tenth Circuit affirmed summary judgment in favor of the former supervisor. In reaching its conclusion, the Tenth Circuit held that (1) the FMLA permits individual liability and (2) the economic reality test applies to determine whether an individual qualifies as an FMLA employer.
Because the employee challenged only whether the economic reality test applied and not whether the lower court properly applied the economic reality test, the Tenth Circuit affirmed summary judgment in favor of the former supervisor without addressing the district court’s application of the test.
The Tenth Circuit’s decision is consistent with other appellate courts. For example, the Second Circuit held that a human resources manager could be held liable as an employer under the FMLA.
Key Takeaways
Employers may want to prepare for an increase in FMLA retaliation claims against individual defendants in the wake of the Tenth Circuit’s Walkingstick Dixon decision. However, as the district court’s decision illustrates, employees likely will have a difficult time proving that the economic realities of the supervisor relationship establish that the supervisor is a statutory employer under the FMLA.
HIPAA Security Rule Updates: New Business for Business Associates
Bradley has launched a multipart blog series on the U.S. Department of Health and Human Services’ (HHS) proposed changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, beginning last week with an overview. The Notice of Proposed Rulemaking (NPRM) published on January 6, 2025. This marks the first update since the HIPAA Security Rule’s original publication in 2003 and its last revision in 2013. In this weekly series, we will continue to explore the key changes and their implications and provide insights and takeaways for covered entities and their business associates under HIPAA.
What’s New for BAs and BAAs?
This week’s installment is on the proposed changes specifically affecting business associates (BAs) and business associate agreements (BAAs) and responsibilities for covered entities related to business associates who serve as the HIPAA Security Official.
Revisions to BAAs
The NPRM requires regulated entities to include within their BAAs the following new provisions:
Notification to the covered entity (and downstream BAs to the business associate) within 24 hours of activating its contingency plan;
Written verification that the BA (and the downstream BA to the business associate) has deployed technical safeguards as required by HIPAA; and
Requirements to provide written assurances at least once every 12 months that the BA has implemented technical safeguards validated by cybersecurity subject matter experts and certified by a person of authority at the BA.
In addition, as part of the required security risk assessment process, regulated entities must assess the risks of entering a BAA with a current or prospective BA based on this written verification.
The revisions will require updates to BAAs both in effect now and any new BAAs entered after the Final Rule is published. Similar to the HITECH rule implementation in 2013, these required revisions will have an on ramp for regulated entities to become compliant. Notably, the transition provisions of the NPRM state that BAAs will be deemed in compliance if the following circumstances exists: (1) if the BAA contains the required provisions applicable at the time the Final Rule is published, and (2) the BAA is not renewed or modified within 60 to 240 days after the Final Rule is published. However, all BAAs must be in compliance within a year plus 60 days after the Final Rule is published.
These revisions may create a significant administrative load for regulated entities small and large. In preparation for the Final Rule publication, regulated entities should review their current BAAs to confirm these agreements are up to date with current requirements in effect at the time of execution to take advantage of the on ramp for compliance. Even under current law, regulated entities also may benefit from updating their vendor management programs to request written verification of technical safeguards based on the level of risk associated with their business associate’s handling of PHI.
Covered Entity Delegation of Security Officials
The NPRM also confirms the possibility for a covered entity to appoint a business associate as the Security Officer. Importantly, the HHS clarifies its view that the covered entity still remains liable for ultimate compliance with the Security Rule even if the service is contracted to a business associate.
The HHS Office for Civil Rights (OCR) will accept comments through March 7, 2025.
In our upcoming posts in this series, we will delve into changes to the HIPAA Security Rule affecting group health plans and current thinking related to AI technologies.
Please visit HIPAA Security Rule NPRM and the HHS Fact Sheet for additional resources.
Listen to this post
EU Council Adopts European Health Data Space Regulation
On January 21, 2025, the Council of the EU adopted the European Health Data Space Regulation (the “EHDS Regulation”). The EHDS Regulation aims at making cross-border exchange and access to EU health data easier, improving individuals’ control over their personal electronic health data and enabling the reuse of certain health data for research and innovation purposes.
Background
On May 3, 2022, the European Commission unveiled its proposal for a regulation establishing a European Health Data Space. This initiative is part of the Commission’s European Strategy for Data that was released in 2020.
Key Takeaways
The new rules under the EHDS Regulation seek to provide individuals with faster and easier access to their electronic health data, regardless of whether they are in their home country or another EU member state. Moreover, individuals will have greater control over how their health data is used. To facilitate this, EU countries must establish a dedicated digital health authority to oversee the implementation of these provisions.
The EHDS Regulation aims to open new doors for researchers and policymakers by granting access to specific types of anonymized, secure health data.
Digitalization of health data currently varies significantly between EU member states, often creating barriers to cross-border data sharing. The EHDS Regulation seeks to address this challenge by mandating that all electronic health record systems align with the European electronic health record exchange format, ensuring interoperability across the EU.
The provisions of the EHDS Regulation will become applicable between two and six years after the entry into force of the Regulation. As a regulation, the EHDS Regulation will apply directly in all EU Member States.
The EHDS Regulation is now awaiting formal signature by the Council of the EU and the European Parliament. It will come into effect 20 days after its publication in the Official Journal of the EU.
Read the text of the EHDS Regulation and the Council’s Press Release.