Healthcare Regulatory Update (Winter/Spring 2024)

Healthcare deal volume and regulatory oversight initiatives and actions increased in Q1 2024. Many of these actions are following a trend of increased scrutiny from state and federal regulators on healthcare investments from private equity (PE) backed sponsors. Specifically, federal and state regulators hosted numerous public forums scrutinizing and, in some cases, condemning PE investment in healthcare, and have taken steps to increase transparency from PE-backed healthcare organization and consolidations, including disclosures from PE sponsors. Additionally, data breaches involving health information have grabbed headlines and resulted in interruptions for various healthcare entities, and lawmakers and regulators have been active in addressing concerns over the handling and protection of sensitive health information.

Below are a few notable developments.

State-Level Healthcare Transaction Notification and Filing Obligations

At least 13 U.S. states have adopted healthcare transaction review laws (often also referred to as “mini-HSR” laws) focused on consolidation in the healthcare industry. In the first quarter of 2024, states continued to roll out new rules requiring notice, and in certain cases approval, of pending healthcare-related transactions.

California Assembly Bill (AB) 853, establishing a 180-day notice period for transactions involving retail drug firms, took effect on January 1, 2024. In addition, California AB 3129 was introduced on February 16, 2024. AB 3129, if enacted, would impose restrictions on the management-services model (frequently used throughout the industry) and require at least 90 days’ notice to the California Attorney General prior to consummation of a transaction involving PE and a healthcare facility or provider group in the state. Further, the state of Indiana passed a new mini-HSR law impacting healthcare transactions under which, effective July 1, 2024, parties will be required to submit notice of a contemplated healthcare transaction at least 90 days prior to closing. The Indiana Attorney General then has 45 days to review the proposed transaction and provide a written analysis of any antitrust concerns. We anticipate that additional states will enact mini-HSR laws, further increasing the regulatory oversight of investment in healthcare. 

Federal Scrutiny on Healthcare Transactions

The federal government ramped up its rhetoric in opposition to PE’s involvement in healthcare in the first quarter. On March 5, 2024, the Federal Trade Commission (FTC) hosted a virtual workshop entitled Private Capital, Public Impact, which focused on the “financialization” of healthcare and called for greater scrutiny of PE’s role in healthcare. In parallel with the workshop, the FTC, Department of Justice (DOJ), and Department of Health and Human Services (HHS) issued a joint Request for Public Input (RFI), which is now extended to June 5, 2024. The RFI seeks information on deals that involve healthcare providers, facilities or ancillary products or services, including information on transactions that would not be reported to DOJ or FTC for antitrust review under HSR. 

Additionally, on April 3, 2024, the U.S. Senate Committee on Health, Education, Labor & Pensions hosted a hearing entitled When Health Care Becomes Wealth Care: How Corporate Greed Puts Patient Care and Health Workers at Risk. The hearing, led by Senators Ed Markey (D-Mass.) and Elizabeth Warren (D-Mass.), dovetailed with the release of the Health Over Wealth Act, aiming for increased transparency in PE investment in healthcare. On April 18, 2024, FTC, DOJ and HHS unveiled, which allows anyone to submit a complaint for these agencies to review and investigate healthcare fairness and competition concerns. Finally, on May 9, 2024, the DOJ announced the formation of the Antitrust Division’s Task Force on Health Care Monopolies and Collusion, which will consider widespread competition concerns from stakeholders (e.g., patients, businesses and healthcare professionals), including payer-provider consolidation, serial acquisitions, labor and quality of care, billing, health IT, and access to and misuse of healthcare data. 

We expect enforcement and the use of public forums to examine the role of private investment in healthcare to continue. That said, there is at least a question as to whether minority ownership by a PE firm allows for the FTC to join the minority-owner PE firm as a defendant to a federal antitrust lawsuit, seeking to challenge the conduct of and a series of acquisitions by a provider platform. At least one federal judge in Texas recently dismissed a PE-sponsor defendant from such a lawsuit. We will continue to watch developments in this space. 

CMS Broker Rule Changes and 80/20 Rule

The Centers for Medicare and Medicaid Services (“CMS”) on April 4, 2024, published its 2025 Medicare Advantage and Part D Final Rule, which includes changes to regulations governing broker compensation. The finalized rule places a hard cap on compensation. It limits other bonus arrangements aimed to prevent carriers from incentivizing brokers to steer individuals to certain Medicare Advantage and Part D plans over other plans based on financial interest — rather than the prospective enrollee’s healthcare needs.

On April 22, 2024, CMS issued its Ensuring Access to Medicaid Services Final Rule to address Medicaid beneficiary access and equity for home and community-based services. One of its notable requirements is for states to generally ensure a minimum of 80% of Medicaid payments for homemaker, home health aide and personal care services be spent on compensation for direct care workers, as opposed to administrative overhead or profit (subject to certain flexibilities and exceptions). The requirement is effective six years after the effective date of the final rule, which was published on May 10, 2024.

Sensitive Data Transfers and Potential Federal Privacy Law 

On February 28, 2024, President Biden issued an Executive Order (EO) aimed at protecting U.S. sensitive personal data and U.S. government-related data from exploitation by countries with an established record of collecting and using such data for cyber operations, surveillance scams, blackmail and other malicious activities. Of note to healthcare, the EO directs the Departments of HHS, Defense and Veterans Affairs to take additional steps to protect U.S. sensitive health data and human genomic data from threats posed directly by countries of concern. Such additional steps include issuing regulations to prohibit or place conditions on contracts, awards and grants that could enable countries of concern to access such data. The EO, as enforced primarily by the DOJ through the rulemaking process, has the potential to implicate traditionally non-identifiable data, which is often excluded from the purview of many privacy regimes.

On the legislative side, a bipartisan and bicameral group of lawmakers announced a draft of the American Privacy Rights Act of 2024 (APRA). If passed, the APRA would establish a national data privacy and security standard and provide individuals certain rights with respect to their personal information. As currently drafted, the law would affect the healthcare sector specifically, including by designating health information as “Sensitive Covered Data” subject to heightened requirements (e.g., express, informed consent for sharing with third parties). The draft provides that companies in compliance with laws like HIPAA (defined below) could be deemed in compliance with APRA. Whether APRA becomes law or dies on the vine, as has occurred with other proposed national privacy legislation, remains to be seen. 

Part 2, HIPAA and HBNR Updates

On February 8, 2024, HHS issued a final rule modifying the Confidentiality of Substance Use Disorder Patient Records regulation (SUD) at 42 CFR part 2 (Part 2). The Part 2 final rule modifies SUD by more closely aligning it with the Health Insurance Portability and Accountability Act (HIPAA). For example, healthcare providers may now use a single consent and information breach notification requirements now mirror those in HIPAA. The final rule also removes the criminal penalties contained in SUD and replaces them with both civil and criminal enforcement authorities that also apply to HIPAA.

On April 22, 2024, HHS Office for Civil Rights issued the final HIPAA Privacy Rule to Support Reproductive Health Care Privacy. The final rule modifies the HIPAA Privacy Rule to bolster patient-provider confidentiality by providing protection to people seeking lawful reproductive health care (RHC). The key updates include (1) prohibiting covered entities from using and disclosing protected health information (PHI) for certain purposes related to individuals seeking, obtaining, providing or facilitating RHC, subject to certain conditions, (2) requiring covered entities to obtain a signed attestation stating certain requests for PHI potentially related to RHC are not for these prohibited purposes and (3) requiring covered entities to update their Notice of Privacy Practices.

On April 26, 2024, under a split party-line vote, the FTC announced finalized changes to its Health Breach Notification Rule (“HBNR”), which aim to clarify the HBNR’s applicability to health apps and similar technologies. According to the FTC, the HBNR requires vendors of health records, including health apps, (which are not generally covered by HIPAA) to notify individuals, the FTC and, in some cases, the media, of a breach or impermissible disclosure of unsecured personally identifiable health data. For more details, see our prior alert on the HBNR updates here

Health Privacy Laws

On March 31, 2024, many stringent requirements of the consumer health privacy laws in Washington and Nevada went into effect. Both laws are broad in scope and require regulated entities to obtain consent (with specific content requirements) for certain data collection, sharing or selling. Additionally, the laws generally prohibit the use of geofencing marketing tools (targeting consumers with ads based on whether they visited a certain area around a healthcare facility) in the healthcare context. These laws do not apply to PHI already regulated by HIPAA, but HIPAA “covered entities” and “business associates” may still be subject to these laws. The key difference between these laws is Washington’s law permits a private right of action, which will likely lead to litigation in the near future. We will continue to monitor these new laws and their development for potential impact on new and existing healthcare businesses. 

Laboratory-Developed Tests 

On April 29, 2024, the U.S. Food & Drug Administration (FDA) announced its final rule to address the safety and effectiveness of laboratory-developed tests (LDTs), which have proliferated in the healthcare space over the last decade. The final rule amends FDA’s regulations to make explicit that in vitro diagnostic products (IVDs) are devices under the Federal Food, Drug, and Cosmetic Act. The final rule phases out FDA’s long-standing enforcement discretion approach to LTDs. The phaseout process is a five-stage approach allowing IVDs that are manufactured and offered as LDTs time to come into compliance. The first phase begins in May 2025 with the final phase ending in May 2028. Certain types of LTDs, such as tests for blood donor screening or tests intended for emergencies or potential emergencies are excluded from these requirements. The FDA has published draft guidance documents and an FAQ to provide additional insights into the agency’s approach to enforcement discretion and the scope of LDTs covered under the final rule. 

This publication is distributed with the understanding that the author, publisher and distributor of this communication are not rendering legal, accounting, or other professional advice or opinions on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use. Pursuant to applicable rules of professional conduct, this communication may constitute Attorney Advertising.