CMS’s ACA Marketplace Integrity and Affordability Proposed Rule – What it may mean for Health Plans
Earlier this month, the Centers for Medicare & Medicaid Services (CMS) released its 2025 Marketplace Integrity and Affordability Proposed Rule (Proposed Rule), proposing a number of enrollment and eligibility policies impacting both Federal and State Exchanges. While CMS frames these policies as necessary to combat fraud and abuse, the impact will be a reduction in enrollment in the ACA Marketplace – with the Proposed Rule estimating that between 750,000 and 2 million fewer individuals enroll in health insurance plans on the Exchanges in 2026.
The effective date of most of these provisions also coincides with the expiration of the enhanced premium subsidies, which the Biden administration extended through December 31, 2025 through the Inflation Reduction Act (IRA). These enhanced subsidiaries increased the amount of financial assistance individuals received and expanded eligibility for assistance. On December 5, 2024, the Congressional Budget Office wrote a letter to Congress indicating that the failure to extend these subsidies would result in 2.2 million individuals losing coverage in 2026 and an increase in premiums by 4.3%.
This article outlines the major provisions of the Proposed Rule, followed by a discussion of their potential impact on plans participating in the ACA Marketplace.
Key Provisions of the Proposed Rule
Income Verification Policies. In its Proposed Rule, CMS proposes several changes to the income verification process for applicants to apply through the Exchanges. Although CMS stated that these policies are necessary to combat fraud, CMS provided limited examples and evidence of fraud. Such policies include:
Removing the exception allowing Exchanges to rely on an applicant’s self-attestation of projected income, if the Internal Revenue Service (IRS) does not have tax return data to verify household income and family size. Exchanges would need to verify individuals’ enrollment, requiring enrollees to provide additional documentation.
Requiring additional income verification in instances where an applicant’s self-reported projected household income is between 100% and 400% of the Federal poverty level (FPL) but federal tax or other data shows that an applicant’s prior year’s income was below 100%. Individuals would have to prove that their income for the upcoming year is between 100% to 400% of the FPL or be unable to enroll in a plan on an Exchange. This change intends to attempt to identify individuals who may “overinflate” their income to be eligible for coverage. Currently, no income verification is required if the applicant projects a higher income than in their tax return.
Eliminating an automatic 60-day extension (in addition to the general 90-day deadline) when documentation is needed to verify household income in instances of income inconsistency.
Allowing Insurers to Deny Coverage for Past Due Premiums. CMS proposes to repeal a provision which currently prohibits insurers from requiring enrollees to pay past-due premium amounts in order to receive coverage under a new insurance policy or contract term. CMS consequently proposes, subject to state law, to allow insurers to add an enrollee’s past-due premium amount to the initial premium amount the enrollee must pay to effectuate coverage under a new policy or contract term and allow insurers to deny coverage to individuals if the total of past-due premiums and the initial premium amount are not paid in full. The stated purpose of this policy is (i) to curtail individuals from taking advantage of guaranteed coverage and seeking coverage when they need health care services, and (ii) to strengthen the risk pool and lower gross premiums.
Revision of Premium Payment Thresholds. CMS proposes to remove flexibilities that currently allow insurers to implement a fixed dollar and/or gross percentage-based premium payment threshold. Under current rules, insurers may consider enrollees to have fully paid their premiums if (i) under the fixed-dollar premium payment threshold, the enrollee has paid a total premium amount such that the unpaid remainder is $10 or less (adjusted for inflation), or (ii) under the gross percentage-based premium payment threshold, the enrollee has paid a total premium amount sufficient to achieve 98% or greater of the total gross monthly premium of the policy before the application of the advance premium tax credit (APTC). Under the Proposed Rule, insurers would only be allowed to implement a net premium percentage-based payment method where enrollees can meet the threshold by paying a total premium amount sufficient to achieve 95% or greater of the total net monthly premium amount owed.
Ineligibility for APTCs after one Year of Failing to Reconcile. CMS proposes to revise the “failure to file and reconcile process” by reinstating a 2015 policy that requires Exchanges to determine whether an individual is ineligible for the APTC if he or she did not file a Federal income tax return and reconcile their APTC amount in any given year. Currently, individuals will be deemed ineligible for failure to file and reconcile for a two-year span.
Changes to Open and Special Enrollment Periods. Under the Proposed Rule, CMS also seeks to shorten the Open Enrollment Period (OEP) and make several changes to Special Enrollment Periods (SEPs), including:
Shortening the OEP for all individual market Exchanges and off-Exchange individual health insurance (that are non-grandfathered) from November 1st to January 15th to November 1st to December 15th.
Removing the “low-income SEP” from both the Federal and State Exchanges. Currently, individuals whose projected household income is at or below 150% of the FPL have a SEP under the Federal and most State-based Exchanges whereby they can enroll or change plans on a monthly basis. CMS is proposing to remove this SEP. The stated purpose of this action is to reduce adverse selection (i.e., reduce the number of enrollees who sign up for health insurance only when they need coverage).
Requiring pre-enrollment verifications for applicants seeking coverage through a SEP. Currently, the Exchanges allow applicants to self-attest that, due to a change of circumstance, they qualify for a SEP (e.g., loss of employer coverage, marriage). The Proposed Rule would change the ability to self-attest and require applicants to submit documentation to the Exchanges.
Requiring Active Re-Enrollment. CMS also seeks to eliminate automatic re-enrollment for fully subsidized enrollees by proposing to require that enrollees whose premium payment amount would be $0 after application of the APTC, would be required to pay a $5 monthly premium until they update their Exchange application with an eligibility redetermination confirming their eligibility for the APTC.
Repeal of Bronze to Silver Plan Cross-Walking. CMS proposes to repeal regulations that currently allow Exchanges to move enrollees eligible for cost sharing reduction, which covers the cost of out-of-pocket healthcare costs and deductibles, from a bronze Qualified Health Plan (QHP) to a silver QHP for an upcoming plan year if a silver QHP is available (i) in the same product, (ii) with the same provider network, and (iii) with a lower or equivalent net premium post APTC-application.
Ineligibility of DACA Recipients. CMS proposes to remove Deferred Action for Childhood Arrivals (DACA) recipients from the definition of “lawfully present,” which in effect renders DACA recipients ineligible for enrollment in a QHP through the Exchange.
Prohibition of Coverage of Gender Affirming Care. CMS proposes to prohibit health insurance plans subject to the ACA’s essential health benefits (EHBs) from providing sex-trait modification, also commonly known as gender-affirming care, beginning Plan Year 2026. EHBs are ACA required minimum coverage categories that plans subject to the ACA must cover; EHBs are state or region specific and are determined based upon comparison to an EHB-benchmark plan that all other plans must mirror. This prohibition would in effect restrict all non-grandfathered insurance plans in the individual and small group markets, on- and off- Exchange, from covering sex-trait modification services.
Updates to the Premium Adjustment Methodology. CMS further seeks to update the premium adjustment methodology, which is used to set several different coverage parameters, including maximum out-of-pocket cost-sharing (MOOP), premiums, and tax credits. By way of background, the current premium adjustment methodology took a more stable approach given the uncertainty of premiums during the end of the COVID-19 Public Health Emergency. Under the Proposed Rule, beginning in 2026, CMS is proposing using an adjusted private individual and group market health insurance premium measure. Such a change will likely cause an increase of MOOP and an increase in premiums.
Updating De Minimis Thresholds. Plans on the Exchange are considered bronze, silver, gold, and platinum based on their actuarial value – whereby bronze plans must cover 60% of an average enrollee’s costs, silver plans cover 70%, gold plans cover 80%, and platinum plans cover 90%. Insurers may offer a specific plan if it is within a “de minis range” of this target value – for example, insurers may offer bronze plans so long as the actuarial value is within +5% and -2% of 60%. Similarly, insurers can offer a silver, gold, and platinum plan, if its value is within +2/-2 percentage points. CMS proposes to change the de minimis ranges to +2/-4 percentage points for all individual and small group market plans subject to the actuarial value, except expanded bronze plans. Further, CMS seeks to include a de minims range of +1/-1 percentage points for income-based silver cost-share reduction plan variations (which was previously −0/+1 percentage points). In the Proposed Rule, CMS estimates that this proposal would decrease premiums by one percent; however, it is likely to reduce the APTCs available.
Evidentiary Standard for Terminating Agents and Brokers. The Proposed Rule seeks to revise the standard for the Department of Health and Human Services (HHS) to terminate for-cause agents, brokers, and web-brokers from the Federally-facilitated Exchange by adding a “preponderance of the evidence” standard of proof regarding issues of fact. HHS may terminate its agreements with agents, brokers, and web-brokers for-cause for instances of non-compliance, fraud, and abusive conduct. Currently, regulations do not indicate an evidentiary standard HHS must apply; instead, the regulation states that HHS may terminate “in HHS’s determination.” CMS states that this change would “improve transparency in the process of holding agents, brokers, and web-brokers accountable for compliance.”
Potential Impacts to Plans
This Proposed Rule will have a direct impact on enrollment in the Exchanges. By adding measures that will increase premiums, reduce APTCs, and increase the administrative burden of applying and verifying enrollment, CMS will in effect discourage enrollment and decrease the number of individuals eligible for enrollment. Further, the changing rules may specifically discourage younger and/or healthier individuals from enrolling. This decrease in enrollment, coupled with the expected decrease in enrollment due to the expiration of the enhanced subsidies, could threaten the stability of the ACA Marketplace in the long run.
DEA Telemedicine Rules Further Delayed Until (Nearly) 2026
Those waiting anxiously for the rules expanding the prescribing of buprenorphine via telemedicine and the controlled substance prescribing for patients at the Department of Veterans Affairs to officially go into effect will now have to wait until New Year’s Eve—December 31, 2025.
Practitioners will, however, be allowed to continue prescribing via telemedicine without first having an in-person visit with the patient, owing to COVID-19 Telemedicine Flexibilities for Prescription of Controlled Medications, in effect through the same end-of-year date.
A seven-page document released by the Department of Justice’s Drug Enforcement Administration (DOJ, DEA) and Department of Health and Human Services (HHS)—scheduled to be published in the Federal Register on March 24—further delays the effective dates of the “Expansion of Buprenorphine Treatment via Telemedicine Encounter” Final Rule and the “Continuity of Care for Veterans Affairs Patients” Final Rule, both dated January 17, 2025 .
As we alerted you in February, these same two rules, collectively referred to as the “Buprenorphine and VA Telemedicine Prescribing Rules,” were originally scheduled to become final on February 18, 2025 but were delayed until March 21, 2025.
The first delay stemmed from the January 20, 2025, Presidential Memorandum titled “Regulatory Freeze Pending Review” (the “Freeze Memo”) that empowered federal departments and agencies to “consider postponing” the dates of rules published but not yet in effect.
After reviewing the 32 comments that the first delay generated, the DOJ now “wishes to further postpone the effective dates for the purpose of further reviewing any questions of fact, law, and policy that the rules may raise,” despite the fact that 13 of the 32 commenters wished to finalize the effective date of the two rules as soon as possible.
The Rules
The Buprenorphine and VA Telemedicine Prescribing Rules amended previous regulations to expand the circumstances under which:
practitioners registered by DEA are authorized to prescribe schedule III-V controlled substances approved by the FDA for treatment of opioid use disorder via a telemedicine encounter; and
VA practitioners acting within the scope of their VA employment are authorized to prescribe schedule II-IV controlled substances via telemedicine to a VA patient with whom they have not conducted an in-person medical evaluation, if another VA practitioner has, at any time, previously conducted an in-person medical evaluation of the VA patient, subject to conditions.
The EBG team continues to monitor any changes to the Buprenorphine and VA Telemedicine Prescribing Rules.
Additional Author: David Shillcutt
The Ketamine Administration Market: A Legal Guide for Healthcare Entities
Ketamine is rapidly gaining attention as a legitimate treatment for depression, PTSD, and chronic pain. While traditionally used as an anesthetic, its off-label therapeutic benefits have driven significant growth in ketamine infusion clinics and home-treatment models. This has created an exciting but complex opportunity for healthcare entities eager to expand into the market.
Key Considerations for Entering the Market
Before establishing a ketamine administration service, it’s crucial to understand the regulatory landscape. Ketamine is classified as a Schedule III controlled substance, meaning there are strict federal and state rules regarding its prescribing, storage, and administration. Healthcare providers must register with the Drug Enforcement Administration (DEA) and adhere closely to rules surrounding controlled substances. Additionally, federal telehealth regulations—which significantly impact home-based ketamine therapies—are evolving, meaning businesses must stay informed about changing compliance requirements.
In New York and similarly regulated states, only licensed healthcare professionals, typically physicians, can own or operate medical practices administering ketamine. Non-physician entrepreneurs must navigate carefully structured arrangements, like Management Services Organizations (MSOs), to legally participate in the business side without violating state regulations. It’s also critical to recognize that, beyond federal regulations, state laws and requirements can vary widely. Healthcare entities planning to operate across state lines must ensure compliance with each individual state’s rules.
Risks and Liabilities
Entering the ketamine treatment field brings significant responsibilities. Safety and patient oversight are primary concerns, especially given the drug’s potential side effects. Whether treatments are administered in-clinic or at-home, appropriate medical supervision and thorough patient monitoring are essential to protect patient health and mitigate legal risks. Moreover, improper handling or prescribing of ketamine can lead to serious regulatory penalties or malpractice claims. Ensuring strict adherence to patient screening, informed consent practices, secure drug storage, and detailed record-keeping is fundamental. Providers must also consider robust emergency protocols specifically tailored for ketamine administration.
Understanding MSO Agreements: Key Considerations for Healthcare Providers
As healthcare providers look to streamline operations and improve efficiency, Management Service Organizations (“MSOs”) have become increasingly vital in helping medical practices, dental offices, and other healthcare entities manage non-clinical functions. MSOs typically provide administrative support, including billing, non-clinical human resources, IT management, and compliance services. These partnerships enable healthcare providers to focus on delivering quality patient care while MSOs handle the back-office tasks.
However, entering into an MSO agreement is a significant decision that requires careful legal consideration.
What is an MSO Agreement?
An MSO agreement is a contract between a healthcare provider (such as a physician practice) and an MSO. The MSO provides non-clinical services such as management, billing, non-clinical human resources, compliance, and office administration, allowing a healthcare practice to focus solely on patient care. By entering into this agreement, healthcare providers can streamline operations, reduce overhead, and enhance efficiency without sacrificing quality.
That said, MSO agreements are more than just administrative contract – they often carry substantial legal and regulatory implications. Ensuring that your MSO agreement is structured correctly is critical for your practice’s success and legal compliance.
Key Considerations in MSO Agreements
1. Compliance with Healthcare Regulations Healthcare is one of the most heavily regulated industries, and MSO agreements must comply with numerous federal and state laws, including the Stark Law, Anti-Kickback Statute, and other regulatory guidelines. MSOs must not provide services in a way that would violate these laws, particularly when they involve relationships between healthcare providers and third-party vendors.
Pro Tip: Always consult with legal counsel to ensure that the MSO agreement is structured to avoid conflicts of interest and potential regulatory violations.
2. Ownership and Control One of the central issues in any MSO agreement is determining who controls the business operations. While an MSO can offer significant operational support, healthcare providers must always maintain clinical autonomy. The agreement must clearly define the scope of services, ensuring that the MSO does not infringe upon the practice’s medical decision-making.
Pro Tip: Ensure that the agreement specifies that clinical decisions remain under the control of the healthcare providers and that MSOs only handle non-clinical functions.
3. Fee Structure and Compensation The financial terms of an MSO agreement are critical. The fee arrangement should
reflect fair market value and should be structured in a way that aligns with both parties’ interests. For example, the MSO might be compensated on a flat fee, percentage of revenue, or another model. It is essential to carefully negotiate this provision to avoid potential legal risks.
Pro Tip: Work with a healthcare law expert to establish a fair and transparent fee structure that avoids any potential for abuse under fraud, waste and abuse laws.
4. Termination and Exit Strategy MSO agreements often last for a set period, but healthcare practices should plan for the possibility of termination or acquisition by private equity investors. It is important to outline clear terms for contract termination, including any notice periods and exit strategies. These provisions protect both parties and provide clarity if either party wishes to end the relationship or modify the terms.
Pro Tip: Ensure that the contract includes adequate safeguards for data protection, patient confidentiality, and transition planning in the event of termination. Further, being that a successful MSO model in a practice is particularly attractive to private equity investors, it is crucial that the agreement is structured in a way that would allow for the acquisition of the practice in the future.
5. Liability and Risk Management MSOs often provide services that carry legal risks, including billing, compliance, and human resources. It is essential that the MSO agreement clearly delineates liability, particularly regarding errors in services provided by the MSO. Any misstep in these areas can lead to significant exposure for the healthcare provider.
Pro Tip: Consider including indemnity clauses and releases that protect the healthcare provider from liability for the MSO’s mistakes or negligence.
Health Fitness, OCR’s Risk Analysis Initiative, and the ERISA Fiduciary Duty to Select Plan Service Providers
On Friday, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced the fifth enforcement action under its Risk Analysis Initiative. In this case, OCR reached a settlement with Health Fitness Corporation (Health Fitness), a wellness vendor providing services to employer-sponsored group health plans.
This announcement is interesting for several reasons. It furthers the OCR’s Risk Analysis Initiative. The enforcement action is a reminder to business associates about HIPAA compliance. The development also points to a significant development under ERISA for plan fiduciaries and service providers to their plans.
The OCR Risk Analysis Initiative
Anyone who takes a look at prior OCR enforcement actions will notice several trends. One of those trends relates to enforcement actions following a data breach. In those cases, the OCR frequently alleges the target of the action failed to satisfy the risk analysis standard under the Security Rule. This standard is fundamental – it involves assessing the threats and vulnerabilities to electronic protected health information (ePHI), a process that helps to shape the covered entity or business associate’s approach to the other standards, and goes beyond a simply gap analysis.
“Conducting an accurate and thorough risk analysis is not only required but is also the first step to prevent or mitigate breaches of electronic protected health information,” said OCR Acting Director Anthony Archeval. “Effective cybersecurity includes knowing who has access to electronic health information and ensuring that it is secure.”
For those wondering how committed the OCR is to its enforcement initiatives, you need not look further than its Right to Access Initiative. On March 6, 2025, the agency announced its 53rd enforcement action. According to that announcement, it involved a $200,000 civil monetary penalty imposed against a public academic health center and research university for violating an individual’s right to timely access her medical records through a personal representative.
The DOL Cybersecurity Rule
Businesses that sponsor a group health plan or other ERISA employee benefit plans might want to review the OCR’s announcement and resolution agreement concerning Health Fitness a little more carefully. In 2024, the DOL’s Employee Benefits Security Administration (EBSA) issued Compliance Assistance Release No. 2024-01. That release makes clear that the fiduciary obligation to assess the cybersecurity of plan service providers applies to all ERISA-covered employee benefit plans, including wellness programs for group health plans.
OCR commenced it investigation of Health Fitness after receiving four reports from Health Fitness, over a three-month period (October 15, 2018, to January 25, 2019), of breaches of PHI. According to the OCR, “Health Fitness reported that beginning approximately in August 2015, ePHI became discoverable on the internet and was exposed to automated search devices (web crawlers) resulting from a software misconfiguration on the server housing the ePHI.” Despite these breaches, according to the OCR, Health Fitness had failed to conduct an accurate and thorough risk analysis, until January 19, 2024.
For Health Fitness, it agreed to implement a corrective action plan that OCR will monitor for two years and paid $227,816 to OCR. For ERISA plan fiduciaries, an important question is what they need to do to assess the cybersecurity of plan service providers like Health Fitness during the procurement process and beyond.
We provide some thoughts in our earlier article and want to emphasize that plan fiduciaries need to be involved in the process. Cybersecurity is often a risk left to the IT department. However, doing so may leave even the most ardent IT professional ill equipped or insufficiently informed about the threats and vulnerabilities of the particular service provider. When it come to ERISA plans, this means properly assessing the threats and vulnerabilities as they relate to the aspects of plan administration being handled by the service provider.
Third-party plan service providers and plan fiduciaries should begin taking reasonable and prudent steps to implement safeguards that will adequately protect plan data. EBSA’s guidance should help the responsible parties get there, along with the plan fiduciaries and plan sponsors’ trusted counsel and other advisors.
The Ninth Circuit Confirms That Liability Insurers Are Entitled to Corroborating Medical Documentation Before Settling a Third-Party Bodily Injury Claim
Liability insurers often receive policy limit demands from third-party claimants that allege serious injuries without corroborating medical records or bills. Since the enactment of California Civil Procedure Code section 999 et seq. in 2023, these demands are typically made by “unrepresented” claimants who are actually receiving guidance from attorneys behind the scenes.
When insurers ask the claimants for corroborating medical documentation – or medical authorizations and sufficient time to use them – their requests are often ignored. Nevertheless, after the demands expire, the insurers are confronted with accusations that they acted in “bad faith” by failing to accept the uncorroborated demands.
In McGranahan v. GEICO Indemnity Company, GEICO was sued for bad faith based on these very circumstances. GEICO’s summary judgment victory in that case was recently affirmed by the Ninth Circuit, which held that GEICO acted reasonably – as a matter of law – when it declined to settle for its policy limit before receiving corroborating medical records and bills. McGranahan v. GEICO Indem. Co., 2025 WL 869306 (9th Cir. Mar. 20, 2025).
In McGranahan, GEICO’s insured was involved in an accident with a motorcyclist (McGranahan). During its investigation, GEICO spoke with McGranahan’s girlfriend, who claimed that McGranahan had suffered serious injuries and had been hospitalized for several weeks. GEICO asked the girlfriend for medical bills or records so that it could evaluate McGranahan’s claim. GEICO also requested that McGranahan sign and return a medical authorization so that GEICO could order the necessary medical documentation. Despite multiple follow-up requests, neither McGranahan nor his girlfriend provided GEICO with any medical records or bills, or a signed medical authorization.
Instead, after consulting with an attorney, McGranahan sent GEICO a handwritten letter demanding that GEICO pay him its $100,000 policy limit. In his demand letter, McGranahan claimed, among other things, that he suffered “significant injuries” and had “over a million dollars” in medical bills.
GEICO responded by again asking McGranahan to provide corroborating medical documentation, which GEICO explained was “essential” to evaluate the claim. GEICO also asked for an extension to respond to the demand. After McGranahan ignored those requests, GEICO advised him that it could neither accept nor reject his demand until it had adequate supporting documentation. GEICO also continued to send follow-up requests for medical documentation, which continued to go unanswered.
It was not until after McGranahan filed suit against GEICO’s insured that GEICO was first able to obtain corroborating medical documentation via formal discovery in the lawsuit. GEICO then offered McGranahan the policy limit, which he rejected based on his contention that the policy was “open” because GEICO had acted in bad faith by not accepting his prior policy limit demand.
After reaching an agreement to resolve that lawsuit for a stipulated judgment in the amount of $1.5 million, McGranahan obtained an assignment of the insured’s rights and sued GEICO for bad faith failure to settle. Judge Aenlle-Rocha of the Central District of California granted summary judgment in favor of GEICO finding, as a matter of law, that GEICO did not act in bad faith. McGranahan v. GEICO Indem. Co., 714 F. Supp. 3d 1187 (C.D. Cal. 2024). In particular, the court concluded that it was reasonable for GEICO to seek corroborating medical documentation before settling McGranahan’s claim, and that GEICO made reasonable efforts to obtain that information. Id. at 1196-97.
On March 20, 2025, the Ninth Circuit affirmed. McGranahan v. GEICO Indem. Co., 2025 WL 869306 (9th Cir. Mar. 20, 2025). In doing so, the Court made several significant rulings, including:
“An insurance company is entitled to receive medical records and bills to aid it in evaluating a settlement offer”; and
GEICO’s multiple requests for McGranahan’s medical bills/records or a signed medical authorization constituted a reasonable and adequate investigation (rejecting McGranahan’s argument that GEICO was required to send someone to meet with him or his girlfriend in person).
The Ninth Circuit’s ruling in McGranahan is consistent with its prior published decision in Du v. Allstate Ins. Co., 697 F.3d 753, 759 (9th Cir. 2012), where it also recognized that an insurer is not required to accept bodily injury claims that are uncorroborated by medical documentation. Both of these decisions affirm the common-sense principle that liability insurers are entitled to corroborating medical documentation when evaluating a third-party bodily injury claim before their settlement duties are triggered.
Rulings like this will help liability insurers defend themselves in bad faith lawsuits arising out of claims involving purportedly “unrepresented” claimants who submit policy limit demands without supporting medical documentation – a scenario that has become more commonplace after the enactment of California Civil Procedure Code section 999, et seq.
HSE Publishes UK REACH Report (2023 to 2024) and Work Programme (2024 to 2025)
The United Kingdom’s (UK) Health and Safety Executive (HSE) announced on March 21, 2025, that it has published the following annual report and work program on activities under the UK regulation on the Registration, Evaluation, Authorisation and Restriction of Chemicals (UK REACH):
UK REACH Report, which outlines the relevant activities covering the 2023 to 2024 Work Programme; and
UK REACH Work Programme, which describes operational work for 2024 to 2025.
The UK REACH Report provides a summary of achievements, including:
Topic
Deliverable
Target
Outcome
Registration
Complete the processing of all Article 26 inquiries and, within three weeks of receipt, all new UK REACH registrations
100 percent
Met
Dossier evaluation
Meet legal obligations in relation to compliance checking of registration dossiers
Examine testing proposals included in the registration dossiers to ensure that unnecessary animal testing is avoided
No fewer than 20 percent to meet legal obligations
100 percent
Met
Substance evaluation
Evaluate substances in the Rolling Action Plan (RAP)
Evaluate one
Met
Authorization
Complete the processing of received applications within the statutory deadline
100 percent
Met
Substance of very high concern (SVHC) identification
Undertake an initial assessment of substances that have been submitted for SVHC identification under the European Union (EU) REACH during 2022/23 and consider if they are appropriate for SVHC identification under UK REACH
Assess up to five
Met
Regulatory management option analysis (RMOA)
Complete RMOAs initiated in 2022-2023
Initiate RMOAs for substances identified as priorities
Up to ten
Up to five
One completed, nine ongoing
None prioritized
Restriction
Complete ongoing restriction opinions
Begin Annex 15 restriction dossiers
Initiate scoping work for restrictions
Two
One
Two
One complete, one delayed
Met (March 2023)
Met
HSE notes that in preparing the UK REACH Work Programme, the Department for Environment Food and Rural Affairs (Defra), and the Scottish and Welsh governments (the Appropriate Authorities) work closely with HSE and the Environment Agency to prioritize issues for regulatory action under UK REACH. The UK REACH Work Programme summary of objectives includes the following:
Topic
Deliverable
Target
Registration/Product and Process Orientated Research and Development (PPORD)
Complete the processing of all Article 26 inquiries and, within three weeks of receipt, all new UK REACH registrations
100 percent
Dossier evaluation
Meet legal obligations in relation to compliance checking of registration dossiers
Examine testing proposals included in registration dossiers to ensure that unnecessary animal testing is avoided
No fewer than 20 percent of received registration dossiers, to meet legal obligations
100 percent
Substance evaluation
Complete the evaluation of substances in the RAP
Complete one
Authorization
Complete the processing of received applications within the statutory deadline
100 percent
SVHC identification
Undertake an initial assessment of substances that have been submitted for SVHC identification under EU REACH during 2023/24 and consider if they are appropriate for SVHC identification under UK REACH
Assess up to six
RMOA
Complete RMOAs
Up to nine
Restriction
Complete ongoing restriction opinions (lead in ammunition)
Complete Annex 15 restriction dossiers for public consultation (per- and polyfluoroalkyl substances (PFAS) in firefighting foam (FFF))
One
One
HHS-OIG Highlights Anti-Fraud Safeguards of Drug Manufacturer’s Free Drug Program for Patients in Financial Need
Highlights
The HHS-OIG released a favorable opinion regarding free drugs offered to patients in financial need for a drug manufactured by the pharmaceutical company offering the assistance
The assistance offered under the proposed arrangement did not satisfy a safe harbor to the Anti-Kickback Statute (AKS)
The agency said the proposed arrangement included factors that limited concerns under the AKS and the civil monetary penalty laws
The U.S. Department of Health and Human Services’ Office of Inspector General (HHS-OIG) recently released OIG Advisory Opinion 25-01, a favorable opinion regarding the federal Anti-Kickback Statute (AKS) and civil monetary penalty laws (CMP) against beneficiary inducements as applied to a financial assistance program that would provide an intravenous drug at no cost or with no cost-sharing. The program was offered by a pharmaceutical manufacturer to patients who receive an intravenous drug and meet certain objective eligibility criteria.
The HHS-OIG concluded that the financial assistance offered to patients under the proposed arrangement constitutes remuneration under the AKS and the proposed arrangement did not satisfy a safe harbor under the AKS. However, due to sufficient safeguards in place to mitigate the risk of fraud and abuse, the HHS-OIG would not impose sanctions against the pharmaceutical manufacturer.
Further, the HHS-OIG found that the proposed arrangement would not implicate the CMP because pharmaceutical manufacturers are generally not considered “providers, practitioners, or suppliers” and, therefore, the arrangement is not likely to influence an enrollee’s selection of a provider, practitioner, or supplier. Further, the product is available free of charge to a patient, regardless of the patient’s selection of a prescribing provider or infusion provider, and patients are free to change providers at any time.
Background
The pharmaceutical company manufactures the product, which treats a disease and is intended for use in patients with mild cognitive impairment and confirmed presence of amyloid pathology. Patients prescribed the product receive intravenous infusions every two weeks in an outpatient setting, which could be the treating physician’s office, an outpatient location affiliated with the treating physician, or an independent infusion center unaffiliated with the treating physician. There are currently two other drugs available to treat the disease and two additional such drugs are under development.
The Centers for Medicare & Medicaid Services reimburses for both the product and its administration, under certain circumstances, under Medicare Part B with a 20 percent coinsurance for enrollees, and all state Medicaid programs cover the product with various cost-sharing arrangements for patients.
The proposed arrangement provides the product at no cost to patients, including federal healthcare program beneficiaries, who meet the following eligibility criteria:
Reside in the United States
Be at least 18 years old
Be prescribed the product for an on-label indication
Be uninsured, be insured but with no insurance coverage for the product, or have Medicare coverage for the product but attest that they are unable to afford their out-of-pocket costs associated with the product
Have a household income equal to or below 500 percent of the federal poverty level
Patients must work with the patient’s treating physician to complete an application for assistance and submit the application to the pharmaceutical manufacturer. All eligibility determinations are made without regard to the patient’s insurer or insurance plan, prescribing provider, or infusion provider, and patients are free to change physicians or infusion providers at any time without becoming ineligible for the free product.
The provider who administers the free product is permitted to bill Medicare for the administration cost and may bill the patient for any cost sharing related to only the administration cost. If the provider is not able to administer free product to the approved patient, for any reason, the provider is required to return the free product to the manufacturer or certify its disposal pursuant to the manufacturer’s instructions.
Patients must certify that they 1) will not submit a request for payment for the product to any payor, including a federal healthcare program, and 2) understand that no part of the free product or the costs associated with the free product will count toward the patient’s out-of-pocket costs. Further, treating physicians must certify, in writing, that they prescribed the product for an on-label indication, based on the physician’s independent professional judgment of medical necessity taking into account patient safety considerations, and will not submit a request for payment for the free product to any payor and will not seek payment of the free product from the patient.
The facility where the product will be administered must provide an oral acknowledgement that it understands and agrees to follow all requirements associated with receiving the free product, and each shipment includes a letter describing such requirements.
In this request, the manufacturer certified that neither it, nor anyone acting on the manufacturer’s behalf, is permitted to promote the financial assistance program as a reason to prescribe the product to patients, and the manufacturer does not promote the program through direct-to-consumer advertising. Under the proposed arrangement, healthcare professionals may only learn about the program through 1) approved printed materials for general awareness or 2) reimbursement personnel who do not receive sales-based incentive compensation and are permitted to educate pharmacists, physicians, and physician office staff about the program.
Further, the manufacturer certified that it expects patients to learn about the program from 1) the patient’s treating physician, 2) the manufacturer’s patient support hub, or 3) the manufacturer’s patient support website.
The HHS-OIG’s Findings
The HHS-OIG found that the free product constituted remuneration to both patients and administering providers under the AKS, but relied on the following factors in determining that this posed little risk of fraud and abuse:
There are safeguards in place to avoid inappropriately increasing costs to federal healthcare programs. The only cost that could be billed to a federal healthcare program is the administration fee for the infusion, and only where Medicare could have otherwise been billed for the product. In addition, the requestor intends to offer the assistance program indefinitely to patients who continue to meet the eligibility criteria, even if Medicare were to cover the product in the future without the current limitations, so no product will be billed to Medicare for patients who attest that they cannot afford the cost-sharing amounts of the product.
There is a low risk that the program will interfere with clinical decision-making. The treating physician is not permitted to submit a request for payment of the free product to any payor, including but not limited to any federal healthcare program. Although the administering provider may charge the administration fee for patients where Medicare would otherwise reimburse for the product and there is a cost-sharing component for patients, there is a low risk that the administration fee would induct treating physicians to select the product over another product.
The program does not steer patients to a particular provider, practitioner, or insurance plan. Patients are free to change their treating physician or infusion provider at any time without impacting their eligibility for free product.
Ultimately, the HHS-OIG found that the arrangement poses low risk of fraud and abuse due to the safeguards, and the patient eligibility criteria.
Key Takeaways
This advisory opinion may be of significant interest to drug manufacturers of new pharmaceutical products. Notably, the HHS-OIG identified the risk that the arrangement could serve as a problematic “seeding” program for the product but determined it would not impose sanctions in part because there is no barrier to the patient switching to competing products and that eligibility for the free product is not contingent on past, present, or future purchases of the product.
New Ohio Transparency Pricing Rules for Hospitals Comes with Limits to Targeted Advertising
Starting April 3, Ohio hospitals will have to navigate new requirements under House Bill 173. This law mandates greater transparency in healthcare pricing. It also includes rules for selling or targeted advertising related to personal information hospitals collect from price estimator tools (discussed in more detail below). The law applies to hospitals in Ohio, which is any facility providing inpatient medical services for periods longer than twenty-four hours.
Transparent pricing for services
HB 173 requires hospitals to provide consumers with public pricing information for all hospital items and services. Hospitals need to create a digital list of all standard charges for their services. This list must be easy to access, free of charge, and cannot require any personal information from the user. These provisions are designed to help patients understand how much they will have to pay for medical services. Hospitals also have to offer information about “shoppable services” e.g., – services that can be scheduled in advance.
To meet this transparency requirement, hospitals either must provide a list of shoppable services, or provide an internet-based price estimator tool that helps patients estimate costs for these types of procedures.
Targeted advertising
For hospitals that decide to use a price estimator tool, there are restrictions on how personal information the tool collects can be used. Specifically, the law prohibits hospitals from using personal information collected from the use of the tool for targeted advertising. The law defines targeted advertising as displaying an ad that is selected based on personal data obtained from the use of a hospital’s internet-based price estimator tool by a person in Ohio. This means that hospitals cannot show consumers specific ads based on the information a person provides to estimate healthcare costs. Hospitals are also not allowed to sell personal information collected from price estimator tools. While “sell” is not defined under the law it is most likely to be interpreted closer to HIPAA definitions than state consumer privacy laws. Sell under HIPAA means direct or indirect renumeration in exchange for PHI.
The law provides specific exclusions for what is considered targeted advertising. Hospitals can still advertise based on a user’s direct request for information or their activities on the hospital’s own websites. Ads that are shown based on the context of a user’s search or visit are also excluded. Additionally, using data to measure how effective ads are is not considered targeted advertising. However, covered entities must continue to be mindful of OCR’s guidance with respect to the use of tracking technologies as well.
Putting it into Practice: Hospitals in Ohio may need to adopt new practices to remain compliant with the law. This includes making sure their websites provide easy-to-find pricing information for patients. Additionally, hospitals should confirm personal information from price estimator tools isn’t used for targeted advertising.
McDermott+ Check-Up: March 21, 2025
THIS WEEK’S DOSE
Government Is Funded, Congress at Home for the Week. The continuing resolution signed by President Trump last Saturday funds the government through the rest of the fiscal year.
Senate Finance Committee Holds CMS Administrator Nomination Hearing. Centers for Medicare & Medicaid Services (CMS) administrator nominee Mehmet Oz, MD, testified.
President Trump Issues EO on Domestic Preparedness. Implementation of this executive order (EO) will likely have implications for drug supply chains and pandemic preparedness.
CONGRESS
Government Is Funded, Congress at Home for the Week. On March 15, 2025, President Trump signed a continuing resolution (CR) into law that funds the government and provides short-term extensions of certain healthcare programs and provisions, including Medicare telehealth flexibilities and community health center funding, through September 30, 2025, the end of the fiscal year. The CR did not include a Medicare physician payment fix. Instead, Republican leadership committed to include a fix in the upcoming budget reconciliation bill to secure votes from the GOP Doctors Caucus. Given the timeline of a potential reconciliation bill, it is uncertain whether Congress will consider any mitigation to the 2025 Medicare physician payment cut that is currently in effect. The House passed the CR mostly along party lines in a 217 – 213 vote. In the Senate, after much internal debate, 10 Democrats joined all but one Republican in a 62 – 38 vote to advance the CR to a final vote, ultimately allowing Republicans to pass it with a simple majority. Congress then went home for a recess week. Both the House and Senate return on March 24, 2025, for a three-week stint until they hit a two-week April recess around the Easter and Passover holidays.
Senate Finance Committee Holds CMS Administrator Nomination Hearing. In the hearing on March 14, 2025, members from both parties discussed concerns about access to care in rural areas as well as high prior authorization and upcoding usage by Medicare Advantage (MA) insurers. Mehmet Oz, MD, agreed with members and stated that he would seek to address upcoding in MA as CMS administrator – which is notable in light of his previous outspoken endorsements of the program. Republicans focused on the insights Oz can bring to CMS as a physician, while Democrats pressed to see if Oz supports reforming or cutting Medicaid, including through work requirements.
ADMINISTRATION
President Trump Issues EO on Domestic Preparedness. The “Achieving Efficiency Through State and Local Preparedness” EO seeks to expand the role of states and localities in preparedness, which will likely have impacts on drug supply chain issues and future pandemic response. The EO directs the Assistant to the President for National Security Affairs, in coordination with other relevant agencies, to:
Publish a national resilience strategy within 90 days
Review critical infrastructure policies, including the following EOs, and recommend a risk-informed approach within 180 days:
EO 14017, “America’s Supply Chains”
EO 14123, “White House Council on Supply Chain Resilience”
Review all national continuity policies, including the following, and recommend options to modernize and streamline the current approach within 180 days:
National Security Memorandum 32, National Continuity Policy
Review the findings of the Federal Emergency Management Agency Council and provide recommendations to edit policies, including the following, to reformulate the process and metrics for federal responsibility within 240 days:
Presidential Policy Directive 8, National Preparedness
Create a National Risk Register within 240 days
The EO also directs the secretary of homeland security to propose policy changes to improve federal-state communication. A fact sheet can be found here.
QUICK HITS
House Democrats Launch Congressional Doctors Caucus. The Congressional Doctors Caucus will work to advance “pragmatic healthcare policy.” This caucus joins the long-established and larger GOP Doctors Caucus in the House. The new Democratic caucus comprises:
Ami Bera, MD (CA) – internal medicine
Herb Conaway, Jr., MD (NJ) – internal medicine
Maxine Dexter, MD (OR) – pulmonary and critical care
Kelly Morrison, MD (MN) – obstetrics and gynecology
Raul Ruiz, MD (CA) – emergency medicine
Kim Schrier, MD (WA) – pediatrics
CMS Announces Manufacturer Participation in Current Round of Medicare Drug Price Negotiation. CMS stated that agreements have been signed with the manufacturers of the 15 drugs chosen for participation in the second cycle of Medicare drug negotiations.
FDA Study Shows Impact of E-Cigarette Prevention Campaign. The US Food and Drug Administration (FDA) study found that “The Real Cost” campaign successfully prevented 450,000 new youth e-cigarette users between 2023 and 2024. Read the press release here.
HHS Renews Opioid Crisis PHE Declaration. US Department of Health & Human Services (HHS) Secretary Kennedy renewed the opioid crisis public health emergency (PHE) declaration for another 90 days. The PHE was set to expire on March 21, 2025, and allows more federal coordination efforts and flexibilities.
HHS, FDA Announce Operation Stork Speed. This initiative seeks to address the safety, reliability, and nutrition of infant formula by starting the statutorily required nutrient review, increasing testing for heavy metals, and extending the personal importation policy. HHS Secretary Kennedy was outspoken in support of these steps.
OCR Takes Action Against Maine for Alleged Title IX Violation. Following an investigation, the HHS Office for Civil Rights (OCR) stated that Maine’s Department of Education and other entities in the state are in violation of President Trump’s “Keeping Men out of Women’s Sports” EO because they allegedly allowed transgender female students to play in women’s sports. OCR’s letter to the entities requires them to voluntarily commit to resolve the matter within 10 days or risk referral to the US Department of Justice. Read the press release here.
FTC Requests Stay of Noncompete Rule, Citing New Administration. The Federal Trade Commission (FTC) filed motions requesting a 120-day stay of the agency’s appeal of district court decisions blocking the Biden-era FTC proposed ban on noncompete agreements. This is a signal that FTC’s new leadership is rethinking the agency’s defense of the proposed rule. FTC Chairman Ferguson also released a memo creating the Joint Labor Task Force, which will evaluate policy options related to noncompete agreements.
NEXT WEEK’S DIAGNOSIS
Congress will return to session on Monday to continue work on budget reconciliation. While each body has passed a budget resolution, they must now agree to and pass a unified budget resolution through both bodies in order for reconciliation to proceed. The House Veterans’ Affairs Health Subcommittee will hold a hearing on healthcare access and a markup of several healthcare-related bills, and the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade will hold a hearing on online safety. On the regulatory side, we await the release of the inpatient prospective payment system proposed rule.
Employment Law Update: New Compensation Limits and Statutory Payment Rates
Under the Employment Rights (Increase of Limits) Order 2025 (the “Employment Order”), there will be changes to the compensation limits that apply to certain awards that Employment Tribunals can make and other amounts payable under employment legislation with effect from 6 April 2025. The Employment Order applies to England, Wales and Scotland.
The new limits will apply where the ‘appropriate date’ for the cause of action occurs on or after 6 April 2025. For example, in the case of unfair dismissal, the rates apply to all dismissals where the effective date of termination falls on or after this date. If the appropriate date (e.g., the date of dismissal) falls before 6 April 2025, the previous limits mentioned below will apply irrespective of the date on which the compensation is awarded.
Here is a brief overview of the changes which will take effect from 6 April 2025 under the Employment Order:
the maximum compensatory award for unfair dismissal is increasing from £115,115 to £118,223 (the upper limit remains the lower of a year’s salary or the maximum statutory limit of £118,223);
the maximum amount of a ‘week’s pay’ (for the purpose of calculating statutory redundancy payments and the basic award for unfair dismissal) is increasing from £700 to £719;
the limit on the compensatory award for failure to allocate and pay tips fairly is increasing from £5,000 to £5,135;
guarantee daily pay is increasing from £38 to £39; and
the minimum basic award in cases where a dismissal is unfair because of reasons to do with health and safety, working time, employee representative, trade union, or occupational pension trustees is increasing from £8,533 to £8,763.
Additionally, the Social Security Benefits Up-rating Order 2025 (the “Social Security Order”) will increase the rate of payment for a range of statutory leave entitlements, also with effect from 6 April 2025. Most of the statutory benefits will increase by 1.7% from the previous year’s rates, in line with inflation. These changes are part of the UK Government’s reforms seeking to greater support those in financial need.
Here is a brief overview of the changes which will take effect from 6 April 2025 under the Social Security Order:
Statutory sick pay is increasing from £116.75 to £118.75 per week.
The below payments are all increasing from £184.03 to £187.18 per week or 90% of the employee’s average weekly earnings, whichever is lower:
statutory maternity pay (after the first six weeks);
statutory adoption pay (after the first six weeks up to thirty nine weeks);
statutory paternity pay (up to two weeks from the date agreed with the employee);
statutory shared parental pay (up to thirty seven weeks);
statutory parental bereavement pay (up to two weeks per bereavement); and
maternity allowance (although the payment increase for maternity allowance will only apply from 7 April 2025).
The earnings threshold to be eligible for all the above payments is also increasing slightly from £123 to £125 weekly.
Maya Sterrie, trainee in the Employment Litigation practice, contributed to this article.
Key Considerations Before Negotiating Healthcare AI Vendor Contracts
The integration of artificial intelligence (AI) tools in healthcare is revolutionizing the industry, bringing efficiencies to the practice of medicine and benefits to patients. However, the negotiation of third-party AI tools requires a nuanced understanding of the tool’s application, implementation, risk and the contractual pressure points. Before entering the negotiation room, consider the following key insights:
I. The Expanding Role of AI in Healthcare
AI’s role in healthcare is rapidly expanding, offering a wide range of applications including real-time patient monitoring, streamlined clinical note-taking, evidence-based treatment recommendations, and population health management. Moreover, AI is transforming healthcare operations by automating staff tasks, optimizing operational and administrative processes, and providing guidance in surgical care. These technological advancements can not only improve efficiency but also enhance the quality of care provided. AI-driven customer support tools are also enhancing patient experiences by offering timely responses and personalized interactions. Even in employment recruiting, AI is being leveraged to identify and attract top talent in the healthcare sector.
With such a wide array of applications, it is crucial for stakeholders to understand the specific AI service offering when negotiating a vendor contract and implementing the new technology. This knowledge ensures that the selected AI solution aligns with the organization’s goals and can be effectively integrated into existing systems, while minimizing each party’s risk.
II. Pre-Negotiation Strategies
Healthcare AI arrangements are complex, often involving novel technologies and products, a wide range of possible applications, important data use and privacy considerations and the potential to significantly impact patient care and patient satisfaction. Further, the regulatory landscape is developing and can be expected to evolve significantly in the coming years. Vendors and customers should consider the following when approaching a negotiation:
Vendor Considerations:
Conduct a Comprehensive Assessment: Understand the problem the product is addressing, expected users, scope, proposed solutions, data involved, potential evolution, and risk level.
Engage Stakeholders: Schedule kick-off calls with the customer’s privacy, IT, compliance, and clinical or administrative teams.
Documentation: Maintain summary documentation detailing model overview, value proposition, processing activities, and privacy/security controls.
Collaborate with Sales: Develop strategies with the sales team and consider trial periods or pilot programs. Plan for the progression of these programs. For example, even if a pilot program is free, data usage terms should still apply.
Customer Considerations:
Evaluate Within AI Governance Scope: Don’t treat an AI contract like a normal tech engagement. Instead, approach this arrangement within a larger AI governance scope, including accounting for the introduction of ethical frameworks, data governance practices, monitoring and evaluation systems, and related guardrails to work in tandem with the product’s applications.
Engage Stakeholders: Collaborate with legal, privacy, IT, compliance, and other relevant stakeholders from the outset.
Consider AI-Specific Contracts: Use AI-specific riders or MSAs and review standard vendor forms to streamline negotiations.
Assess Upstream Contract Requirements: Ensure upstream requirements can be appropriately reflected downstream.
Perform vendor due diligence:As with any nascent industry, some vendors will not survive or may significantly change their focus or products, which might impact support or the long-term viability of the service. Learn about your vendor and ask questions about their financial stability, privacy and security posture.
III. AI Governance and Risk Assessment
Evaluating AI-related risk requires understanding risk across the full lifecycle of an AI product, including its model architecture, training methods, data types, model access, and specific application context. In the healthcare space, this includes understanding the impact to operations, the effect on clinical care and any other impact to patients, the amount of sensitive information involved, and the degree of visibility and/or control the organization has over the model.[1] For example, the risk is much larger with respect to AI that is used to assist clinical decision-making for diagnostics (e.g., assessing static imaging in radiology); whereas, technology used for limited administrative purposes carries a comparatively smaller risk. Here are three resources that healthcare organizations can use to evaluate and address AI-related risks:
A. HEAT Map
A HEAT map can be a helpful tool for evaluating the severity of risks associated with AI systems. It categorizes risks into different “heat” levels (e.g., informational, low, medium, high, and critical). This high-level visual representation can be particularly helpful when a healthcare organization is initially deciding whether to engage a vendor for a new AI product or platform. It can help the organization identify the risk associated with rolling out a given product and prioritize risk management strategies if it moves forward in negotiating an agreement with that vendor.
For example, both the customer and the vendor might consider (and categorize within the HEAT map) what data the vendor will require to perform its services, why the vendor needs it, who will receive the data, and what data rights the vendor might be asking for, how that data is categorized, whether any federal, state or global rules impact the acceptance of that data, and what mitigations are necessary to account for data privacy.
B. NIST AI Risk Management Framework
The National Institute of Standards and Technology (NIST) has created the NIST AI Risk Management Framework to guide organizations in identifying and managing AI-related risks.[2] This framework offers an example of a risk tiering system that can be used to understand and assess the risk profile of a given AI product, and ultimately guide organizations in the creation of risk policies and protocols, evaluation of ongoing AI rollouts, and resolution of any issues that arise. Whether healthcare organizations choose to adopt this risk tiering approach or apply their own, this framework reminds organizations of the many tools at their disposal to manage risk during the rollout of an AI tool, including data protection and retention policies, education of users, incident response protocols, auditing and assessment practices, changes to management controls, secure software development practices, and stakeholder engagement.
C. Attestations and Certifications
Attestations and certificates (e.g., HITRUST, ISO 27001, SOC-2) can also help your organization ensure compliance with industry standard security and data protection practices. Specifically, HITRUST focuses on compliance with healthcare data protection standards, reducing the risk of breaches and ensuring AI systems that handle health data are secure; ISO 27001 provides a framework for managing information security, helping organizations to safeguard AI data against unauthorized access and breaches; and SOC-2 assesses and verifies a service organization’s controls related to security, availability, processing integrity, confidentiality, and privacy, in order to ensure AI services are trustworthy. By engaging in the process to meet these certification standards, the organization will be better equipped to issue-spot potential problems and implement corrective measures. Also, these certifications can demonstrate to the public that the organization takes AI risks seriously, thereby strengthening trust and credibility amongst its patients and business partners.
IV. Contract Considerations
Once parties have assessed their organizational needs, engaged applicable stakeholders/collaborators, and reviewed their risk exposure from an AI governance perspective, they can move forward in negotiating the specific terms of the agreement. Here’s a high-level checklist of the terms and conditions that each party will want to pay careful attention to in negotiations, along with a deeper dive into the considerations surrounding data use and intellectual property (IP) issues:
A. Key Contracting Provisions:
Third-party terms
Privacy and security
Data rights
Performance and IP warranties
Service level agreements (SLAs)
Regulatory compliance
Indemnification (IP infringement, data breaches, etc.)
Limitations of liability and exclusion of damages
Insurance and audit rights
Termination rights and effects
B. Data Use and Intellectual Property Issues
When negotiating the terms and conditions related to data use, ownership, and other intellectual property (IP) issues, each party will typically aim to achieve the following objectives:
Customer Perspective:
Ensure customer will own all inputs, outputs, and derivatives of its data used in the application of the AI model;
Confirm data usage will be restricted to service-related purposes;
Confirm the customer’s right to access data stored by vendor or third-party as needed. For example, the customer might want to require that the vendor provide any relevant data and algorithms in the event of a DOJ investigation or plaintiff lawsuit;[3]
Aim for broad, protective IP liability and indemnity provisions; and
Where patient health information is involved, ensure that it is being used in compliance with HIPAA. Vendors want to train their algorithm on PHI. Unless the algorithm is only being trained for the benefit of the HIPAA-regulated entity and fits within a healthcare operations exception, a HIPAA authorization from the data subject will typically be required to train the algorithm for broader purposes.
Vendor Perspective:
Ensure vendor owns all services, products, documentation, and enhancements thereto;
Access customer data sources for training and improving machine learning models; and
Retain ownership over outputs. From the vendor’s perspective, any customer data that is inputted into the vendor’s model is modified by that model or product, resulting in the blending of information owned by both sides. One potential solution to this shared ownership issue is for the vendor to grant the customer a longstanding license to use that output.
V. Conclusion
In conclusion, negotiating contracts for AI tools in healthcare demands a comprehensive understanding of the technology, data use, risks and liabilities, among other considerations. By preparing effectively and engaging the right stakeholders and collaborators, both vendors and customers can successfully navigate these negotiations.
FOOTNOTES
[1] UC AI Council Risk Assessment Guide.
[2] NIST AI 600-1, Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile (July 2024).
[3] Paul W. Grimm et al., Artificial Intelligence as Evidence, 19 Northwestern J. of Tech. and Intellectual Prop. 1, 9 (2021).
Listen to this post