Skip to Main Content

January/February 2024  Volume 5Issue 1
Health Law Connections

Top Ten Issues in Health Law 2024

  • January 01, 2024
  • Lisa Amanti , athenahealth
  • Katherine Snow , Hinge Health Inc.
  • Alya Sulaiman , McDermott Will & Emery LLP
  • Kevin Malone , Epstein Becker & Green PC
  • David Shillcutt , Epstein Becker & Green PC
  • Rosa M. Morales , Crowell & Moring LLP
  • Alexis J. Gilman , Crowell & Moring LLP
  • Jonathan A. Porter , Husch Blackwell LLP
  • Tiffany Buckley-Norwood , Trinity Health Corporation
  • Joanne (Jody) Joiner , Tenet Healthcare
  • Gina L. Bertolini , K&L Gates LLP
  • Douglas M. Mancino , Seyfarth Shaw LLP
  • Caroline M. Brown , Brown & Peisch PLLC
  • Julia M. Siegenberg , Brown & Peisch PLLC
  • Carolyn V. Metnick , Sheppard Mullin Richter & Hampton LLP
  • Jolee H. Bollinger , Sharp HealthCare
  • Andrew D. Ruskin , K&L Gates LLP
Top ten

1. Health Care’s AI Transformation: Managing Risks and Rewards in an Evolving Landscape

Lisa Amanti, athenahealth
Katherine Snow, Hinge Health Inc.
Alya Sulaiman, McDermott Will & Emery LLP

+Listen to Episode 1

While artificial intelligence (AI) has been in existence for decades, 2022 was generative AI’s coronation year and 2023 was characterized by increased innovation, development, and availability of AI technologies. In 2024, the integration of AI into health care is set to reach new heights while the policy framework for AI continues to change. AI has the potential to transform health care but also comes with known and not-yet-understood risks. Organizations should begin 2024 with a clear understanding of their AI strategy and priorities, as well as the attendant risks associated with AI in health care.

Multi-Layered Issue Spotting in an Evolving Policy Landscape. While there is not current, universal law governing AI, there is a patchwork of privacy, consumer protection, health care, and health information technology laws and regulations that pre-date AI and apply to its use. In the absence of a broad-spectrum AI regulation,1 policymakers have efforts underway to address the gaps, including the White House Blueprint for an AI Bill of Rights2 and voluntary commitments from leading AI companies to develop safe, secure, and trustworthy AI.3 On October 30, 2023, President Biden released a landmark executive order4 with an array of directives to establish standards for AI safety and security, including in the contexts of cybersecurity and health care, equity and civil rights, and privacy and the protection of consumers against fraud and deception. Several directives also create responsibilities for the Department of Health and Human Services (HHS) to create safety and assurance programs and oversight for health AI. On December 14, 2023, the White House announced that 28 health care provider and payer organizations had made voluntary commitments to help move toward safe, secure, and trustworthy purchasing and use of AI technology.

Given the rapidly changing environment, it is essential to evaluate AI use cases using a multi-layered case-by-case approach grounded in existing law and policy frameworks to help navigate today’s risks and prepare for future AI regulations. Below are a few areas to consider when evaluating health AI.

Privacy, Security, and Technology Risks. AI technologies depend on lots of data. Any use of health data triggers privacy and security concerns. Existing privacy requirements include statutes like the Health Insurance Portability and Accountability Act (HIPAA),5 the Federal Trade Commission Act, state consumer privacy laws, international laws such as the General Data Protection Regulation (GDPR), new and developing regulatory schemes, as well as contractual terms that may restrict how data can be used and disclosed, and how it should be protected. Fortunately, tools like the U.S. National Institute of Standards and Technology’s AI Risk Management Framework6 exist to help organizations better manage security, technology, and other risks associated with AI.

FDA and Product Regulatory Considerations. The Food and Drug Administration (FDA) creates requirements for AI technologies used in medical devices, including software as a medical device. For example, the FDA regulates AI-powered imaging tools that aid in diagnosis and software that uses patient-specific data to generate risk scores. A recent final rule7 from the HHS Office of the National Coordinator for Health Information Technology (ONC) established new requirements for AI technologies that might be used in clinical, administrative, and operational contexts, and are supplied by developers of certified health information technology (e.g., EHR developers). Although ONC and the FDA take different approaches to regulating AI, both are generally focused on transparency and risk management.

Intellectual Property (IP) Considerations. Before using data to train AI, organizations must evaluate whether using the data would violate contractual rights or infringe IP rights. Answers to such questions are not always straightforward when multiple organizations contribute resources at different stages of the AI lifecycle. Collaboration between data contributors/sources and AI system developers adds complexity to IP ownership and licensing issues, and existing legal frameworks are grappling with how to resolve IP questions raised by AI technologies.

Bias, Fairness, and Reliability. A major concern surrounding the use of AI in health care is the potential for bias. AI technologies are built on data that often reflects the inequities and biases that have long plagued U.S. health care. The risk of bias must be managed when training an algorithm, in determining whether a given use case is too high risk, and by monitoring AI’s performance once deployed. While AI has and continues to make rapid progress, machine intelligence remains narrower than human intelligence and empathy while appearing to demonstrate human reasoning ability. This poses risks in health care contexts as AI technologies may generate outputs that seem trustworthy but contain biased or unfair outputs, or inaccurate hallucinations.

Responsible AI Governance. The responsible use of AI in health care requires the development of effective oversight programs. Whether your organization is developing, procuring, or deploying an AI-enabled technology, a use case-based approach to AI governance can help identify risks and inform how to manage them. The real risks of AI are not the apocalyptic visions or the machines taking over our careers and lives. The real risks will come from machines that are not yet smart enough to handle the responsibilities humans give them. Engaging in oversight throughout the AI lifecycle, and subjecting AI to the same scrutiny as other new technologies using existing legal frameworks, can help manage these risks.

2. Major Expansion of Federal Regulation of Managed Care Through the Mental Health Parity and Addiction Equity Act

Kevin Malone, Epstein Becker & Green PC
David Shillcutt, Epstein Becker & Green PC

*Contributed by AHLA's Behavioral Health Practice Group.

+Listen to Episode 2

In 2008, building on the earlier Mental Health Parity Act of 1996 (MHPA),8 the Paul Wellstone and Pete Domenici Mental Health Parity and Addiction Equity Act (MHPAEA) was enacted to prevent group health plans and health insurance issuers (Health Plans) from covering mental health or substance use disorder (MH/SUD) benefits in a discriminatory manner compared to the coverage of medical/surgical (M/S) benefits. MHPAEA is enforced across insurance markets by the applicable primary regulatory authority, such as the Department of Labor (DOL) for self-funded group health plans, state departments of insurance for fully insured commercial group policies (and the DOL to the extent such groups are also covered by the Employee Retirement Income Security Act (ERISA)), the Center for Consumer Information and Insurance Oversight (CCIIO) for individual policies on federally facilitated marketplaces; and the Centers for Medicare & Medicaid Services (CMS) and state Medicaid agencies for Medicaid managed care and the Children’s Health Insurance Program (CHIP). At the time of passage, despite the MHPA, many Health Plans imposed more restrictive limits on MH/SUD benefits or excluded coverage for major categories of services, especially SUD treatments.9 DOL, HHS, and the Department of Treasury (Tri-Agencies) issued the first commercial market final regulations for MHPAEA in 2013 specifying that the parity requirements apply to financial requirements, quantitative treatment limitations, and non-quantitative treatment limits (NQTLs), which are generally non-numerical requirements that limit the scope or duration of benefits, such as benefit exclusions, prior authorization requirements, step therapy requirements, and standards for provider admission to participate in a network.10 Since then, although nearly all Health Plans now cover MH/SUD benefits and discriminatory quantitative limits and financial requirements are must less common, research has continued to indicate that patients across markets continue to have more difficulties accessing MH/SUD treatments than M/S services.11

In response to these findings, the Tri-Agencies have steadily issued interpretive guidance12 and increased audit and enforcement activity related to MHPAEA.13 Despite the agencies’ efforts, Congress made material amendments to MHPAEA through the Consolidated Appropriations Act, 2021 (CAA), adding a provision that formalized and expanded upon the NQTL requirements from the 2013 Final Rule and earlier sub-regulatory guidance and required Health Plans to perform and document comparative analyses to demonstrate parity and provide them to the Tri-Agencies or to an applicable state authority upon request.14 Since the passage of the CAA amendments, the Tri-Agencies and state insurance regulators have significantly expanded their oversight and enforcement of MHPAEA.15

However, more sweeping changes are potentially on the horizon for 2024. On July 23, 2023, the Tri-Agencies proposed regulations and guidance on the MHPAEA flowing from the CAA amendments that would, among other new requirements, impose significant additional restrictions on Health Plans’ medical management techniques and require Health Plans to collect and evaluate network adequacy data and provider reimbursement rates in order to enforce equitable access to providers of MH/SUD services compared to providers of M/S services.16 The Notice of Proposed Rulemaking (NPRM) goes far beyond simply enshrining the requirements of the CAA and prior Tri-Agency sub-regulatory guidance and represents the most significant expansion of the MHPAEA’s technical requirements as applied to NQTLs since the finalization of the initial MHPAEA regulations in 2013. Arguably, in its application of new sweeping requirements to utilization management, network contracting, and network adequacy, the NPRM represents the most comprehensive federal regulation of managed care practices ever implemented in the United States.

Among other significant proposals, the NPRM, if finalized, would measure differences between in-network access for providers of MH/SUD and M/S benefits. The NPRM was accompanied by Technical Release 2023-01P, which outlines the Tri-Agencies’ current thinking as to technical measures for MH/SUD provider access that they intend to use for the purpose of evaluating whether access to MH/SUD providers is lower than for M/S providers. The NPRM includes a proposed special rule that would require all Health Plans to measure access using measures to be finalized based on the Technical Release. Any “material difference” between access (as defined by those measures) for MH/SUD and M/S services would be a per se parity violation for NQTLs related to network management (including reimbursement methodologies), and the Tri-Agencies would have regulatory authority to mandate changes to the impacted NQTLs on that basis. This could give the Tri-Agencies and the state departments of insurance the right to dictate specific reimbursement rate terms and network contracting requirements for MH/SUD services based solely on data indicating differences in access.

Even if the NPRM is not finalized as proposed, MHPAEA compliance will continue to be one of the most difficult and sweeping regulatory requirements applying to Health Plans across the fully insured and self-funded markets. However, if the NPRM is finalized as proposed, Health Plans may be required to make fundamental and sweeping changes to how they implement and manage most of the core managed care functions they use to manage utilization and network access. Not to be left out, CMS has recently initiated a process to potentially impose corresponding requirements to Medicaid managed care in 2024.17

3. Antitrust Trends and Forecast for the Health Care Industry

Rosa M. Morales, Crowell & Moring LLP
Alexis J. Gilman, Crowell & Moring LLP

+Listen to Episode 3

The Department of Justice (DOJ) and the Federal Trade Commission (FTC) continue to increase antitrust enforcement in the health care industry as part of their broader enforcement efforts. The agencies are focusing on aggressive merger enforcement, pursuing novel or less traditional theories of harm, expanding industry studies, and rescinding longstanding “safety zones” from prior enforcement statements that primarily guided the health care industry. While consistent with President Biden’s 2021 Executive Order on Promoting Competition in the American Economy, the rapidly evolving state of agency guidance and enforcement has created uncertainty among health care-industry participants about whether business conduct and future deals will pass antitrust scrutiny in the years ahead. One thing is certain: health care organizations can expect greater enforcer scrutiny and longer wait times for deal reviews and conduct investigations.

FTC’s Proposed Ban on Non-Competes. In early 2023, the FTC proposed a rulemaking that would ban virtually all existing and future non-compete clauses in employment contracts, which would dramatically alter the employment landscape for health care organizations. The FTC contends that non-compete clauses reduce competition in labor markets, limit job mobility, and ultimately depress worker wages. An agency vote on the final rule is expected sometime in 2024 and will likely be challenged in court. Meanwhile, more states are beginning to pass legislation that would ban or limit non-compete clauses in employment contracts.

“No-Poach” and Wage-Fixing Enforcement. Other than securing a plea deal, the DOJ’s losing streak in criminal prosecutions of health care firms and individuals for alleged wage-fixing and “no-poach” agreements continued into 2023, most recently with the acquittal of four individuals accused of fixing the wages of home-health workers in United States v. Kalayaf Manahe. Then in May 2023, a Connecticut district court acquitted six defendants in a criminal “no-poach” case (in the defense industry), constituting the DOJ’s fourth contested trial loss since 2016, when the DOJ first announced it would prosecute “no-poach” and wage-fixing cases criminally. Undeterred, in September 2023, the DOJ declared it would continue prosecuting such matters criminally, signaling the continued importance for health care firms to implement robust compliance programs to prevent potential antitrust violations in labor markets.

New Merger Guidelines. The FTC and DOJ are finalizing new Merger Guidelines (MGs) that would significantly revise prior guidelines on horizontal and vertical transactions to discourage and challenge perceived undue industry consolidation, including in health care. Among the most notable changes are lower market-concentration thresholds for presuming a horizontal merger is unlawful and creating unprecedented presumptions for harm in vertical mergers. Draft Guideline 5(B) targets transactions that provide access to a rival’s competitively sensitive information, which appears to be designed to address the type of concerns raised in the DOJ’s failed attempt to block UnitedHealthcare’s acquisition of Change Healthcare based on alleged access to rival health insurers’ claims data. Another guideline targets serial acquisitions or “roll-ups” where a firm acquires a series of smaller firms in the same industry. Enforcers are concerned that roll-up strategies, particularly by private equity firms, create and enhance market power in particular products/services, even if a single transaction in the series would not alone be anticompetitive. The FTC already has put its “roll-up” theory to the test when it sued a private equity firm and an anesthesia provider for allegedly monopolizing anesthesiology markets in Texas through a decade-long “roll-up” strategy. The new MGs are expected by the end of 2023 or early in 2024.

HSR Filing Requirements Overhaul. The FTC and DOJ also have announced proposed new Hart-Scott-Rodino Antitrust Improvements Act of 1976 (HSR) rules that would substantially broaden the volume of information and documents required for HSR filings, including requiring information about labor markets, Occupational Safety and Health Administration violations, geolocation data for facilities, and narrative analyses of relevant markets and potential competitive overlaps. Further, filing parties would be required to produce a much larger number of documents, including drafts of market analyses and synergy documents, rather than just the final or most recent version of such documents. Merging parties—and their outside advisors—would therefore need to exercise extra caution when drafting even preliminary documents containing information about “markets,” service areas, and other competitive or efficiency analyses. The proposed HSR revisions also would require revenues to be reported by subsidiary, extend the look-back period for reporting prior acquisitions from five to ten years, and require parties to identify officers and directors for all subsidiaries and, in turn, all other companies in which those individuals have served as officers or directors. While the draft rule may still be revised in response to public comments, these proposed HSR rules would significantly increase the filing burden, time, and cost.

FTC Expands PBM Scrutiny. The FTC expanded its market study on pharmacy benefit managers (PBMs) to the group purchasing organizations (GPOs) that negotiate rebates with drug manufacturers on their behalf. In summer 2023, the agency served compulsory orders on three GPOs, following similar requests in 2022 to the six largest PBMs. That study explores how PBMs may affect consumer prices and competition among pharmacies through fees and clawbacks to unaffiliated pharmacies; steering to PBM-owned pharmacies; unfair auditing of unaffiliated pharmacies; complex reimbursement methods; and drug manufacturer rebates and fees that skew formulary incentives and affect consumer drug costs. The FTC withdrew prior statements suggesting PBMs “saved costs for consumers” as “no longer reflect[ing] market realities” and signaled future antitrust enforcement.

4. Fraud and Abuse Issues to Watch

Jonathan A. Porter, Husch Blackwell LLP
*Contributed by AHLA's Fraud and Abuse Practice Group.

+Listen to Episode 4

The U.S. Supreme Court’s June 2023 decision in United States ex rel. Schutte v. SuperValu Inc.18 was not unexpected yet has shaped the health care compliance world in ways some did not predict. The SuperValu fallout impacted much of the second half of 2023 and will continue to affect the health care field for years to come.

The immediate response to SuperValu has been for courts to err on the side of allowing juries to decide issues of scienter, rejecting prior protections for health care providers that adopted objectively reasonable interpretations of the law. The result, as seen in cases like United States ex rel. Heath v. Wisconsin Bell Inc.,19 decided by the Seventh Circuit in August 2023, is that False Claims Act allegations with at least some factual dispute as to knowledge will get trials, regardless of whether evidence showed that the defendants adopted objectively reasonable legal positions in the absence of authoritative guidance, sending high-stakes and complex factual determinations into the hands of jurors. The upshot is that jurors will now be tasked with deciding what health care providers “knew” when submitting claims to the government, and whether that knowledge constitutes reckless disregard of the provider’s legal duties to the government.

SuperValu’s open-season signaling comes at the same time that two health care providers found out the consequences of losing False Claims Act trials the hard way. The first came in February 2023, when a surgical product distributor lost a six-week False Claims Act trial that saw $43 million worth of kickback-tainted claims escalated into a judgment of $487 million after statutory trebling and per-claim penalties.20 The second came in June 2023, when a Georgia physician lost a two-week False Claims Act trial over his representations made in connection with chelation therapy treatments, and in which he saw $1.1 million in tainted claims grow to a judgment of $27 million after trebling and penalties.21

In other words, health care providers find themselves at an enforcement crossroads going into 2024, with few avenues available for summary judgment and potentially great disasters looming for those choosing to risk a False Claims Act trial. The whistleblower bar has responded to their newfound leverage by setting their qui tam crosshairs no longer on “traditional, ‘Here’s a bag of cash’” health care providers, but instead on health care providers with “the appearance of legitimacy.”22

And to make matters more difficult for legitimate, well-intentioned health care providers, efforts are underway to give whistleblowers even more leverage. In April 2023, the U.S. Senate passed legislation, the Administrative False Claims Act,23 which seeks to provide more avenues and incentives for whistleblowers to bring claims against individuals and companies doing business with the government. As of this writing, that legislation has been sent to the U.S. House of Representatives, which has yet to undertake consideration of the bill.

But the fraud and abuse landscape for health care providers going into 2024 is not all doom and gloom. One bright spot is the additional support for health care providers in the growing circuit split over the extent to which Anti-Kickback Statute violations can serve as a predicate to False Claims Act allegations. In that circuit split, the Third Circuit first opined that nearly any connection between government claims and kickbacks render the government claims false,24 but the Eighth Circuit then held that the language of the Anti-Kickback Statute, which says that only “services resulting from a violation” of the statute are false for False Claims Act purposes, limited application to just claims that would not have been submitted “but for” the kickbacks.25

In March 2023, the Sixth Circuit joined the foray by siding with the health care provider-friendly position previously adopted by the Eighth Circuit.26 And so, the majority of circuits now hold that violations of the Anti-Kickback Statute are not automatic violations of the False Claims Act, but rather that whistleblowers and the Justice Department must adequately allege and then prove that a health care provider would not have made claims to government health care programs “but for the illegal kickbacks.”27 This split appears likely to deepen in the near future, as courts like the District of Massachusetts are already seeing intra-court conflicts on which approach to adopt.28 Accordingly, expect to see this hot-bed issue for the health law world continue to develop in 2024 and beyond.

5. The Diversity Program Landscape After Students for Fair Admissions v. Harvard/UNC

Tiffany Buckley-Norwood, Trinity Health Corporation
*Contributed by AHLA's Labor and Employment Practice Group.

+Listen to Episode 5

On June 29, 2023, the U.S. Supreme Court issued a 237-page opinion in Students for Fair Admissions, Inc. v. President & Fellows of Harvard College (Case No. 20-1199) and Students for Fair Admissions, Inc. v. University of North Carolina (Case No. 21-707).29 In its opinion, the Court held that the “race-based” admissions programs at the institutions violated Title VI of the Civil Rights Act of 196430 (Harvard) and the Equal Protection Clause of the Fourteenth Amendment31 (UNC) because the programs lacked sufficiently focused and measurable objectives warranting the use of race, unavoidably employed race in a negative manner, involved racial stereotyping, and lacked meaningful endpoints.

Diversity Programs Can Still Exist. In the days and months after the opinion, there was a flurry of media articles and formal publications related to what the decision meant not only for postsecondary institutions, but also for employers, boards of directors, and any other entity making selection decisions as part of a diversity or affirmative action program. Even when interpreted with the broadest application, the Supreme Court did not ban all diversity programs in postsecondary schools or otherwise. The Court also did not say that race, gender, or any other protected category32 must be wholly ignored in making selection decisions. To the contrary, the Court made clear that “nothing in [its] opinion should be construed as prohibiting universities from considering an applicant’s discussion of how race affected his or her life, be it through discrimination, inspiration, or otherwise.” Tellingly, on August 14, 2023, the U.S. Department of Education and DOJ jointly issued guidance “to help colleges and universities understand the Supreme Court’s decision as they continue to pursue campuses that are racially diverse and that include students with a range of viewpoints, talents, backgrounds, and experiences.”33 The departments noted that “universities may continue to embrace appropriate considerations through holistic application-review processes and (for example) provide opportunities to assess how applicants’ individual backgrounds and attributes—including those related to their race, experiences of racial discrimination, or the racial composition of their neighborhoods and schools—position them to contribute to campus in unique ways.”

In the employment context, the same day the Court issued its written opinion, the U.S. Equal Employment Opportunity Commission issued a press release expressly stating that the decision “d[id] not address employer efforts to foster diverse and inclusive workforces or to engage the talents of all qualified workers, regardless of their background.”34 In a July 13 letter, the attorneys general of 13 states relied on the Court’s opinion to issue a warning to the CEOs of Fortune 100 companies about their diversity, equity, and inclusion (DEI) programs and policies.35 But on July 19, the attorneys general of 21 states issued a written response, characterizing the original letter as having a “tone of intimidation, which purposefully s[ought] to undermine efforts to reduce racial inequities in corporate America.”36 The letter went on to state, “[w]e write to reassure you that corporate efforts to recruit diverse workforces and create inclusive work environments are legal and reduce corporate risk for claims of discrimination.”

Using Diversity Categories as Context in Selection Decisions. Two key reasons that the Court found the Harvard and UNC admissions programs unlawful were that they unavoidably employed race in a negative manner and involved racial stereotyping. As the Court recognized, race (and gender and other demographic categories) can add context for life experience or perspective, but selection decisions must focus on the individual’s actual life experience/perspective and how they can uniquely contribute to the institution because of those experiences, rather than selecting an individual based specifically on their race or a stereotype of what their experience or perspective must be because of their race. As the Court said, giving “[a] benefit to a student who overcame racial discrimination, for example, must be tied to that student’s courage and determination.” As the Court also stated, “a benefit to a student whose heritage or culture motivated him or her to assume a leadership role or attain a particular goal must be tied to that student’s unique ability to contribute to the university.”

The Goal of a Diversity Program Must Be Logically Tied to the Means Used to Achieve It, and There Should Be Benchmarking to Know When the Goal Is Achieved. Aside from unavoidably employing race in a negative manner and involving racial stereotyping, the other two reasons that the Court found the Harvard and UNC admissions programs unlawful were that they lacked sufficiently focused and measurable objectives warranting the use of race and lacked meaningful endpoints. Diversity programs must “articulate a meaningful connection between the means they employ and the business goals they pursue.” It must be a connection that can be understood, measured, and reviewed so that a court or other law enforcement body can ensure the diversity initiative is temporary, rather than an unlawful attempt at “racial balancing.” Thus, as with any project plan, it will be important to establish a clear purpose for each diversity program that is tied to organizational needs; a specific, measurable, aspirational, and time-bound (SMART) goal that is tied to the purpose and will reflect when the program has achieved success; and lawful benchmarks that will show progress towards the goal.

Conclusion. It is axiomatic that diversity is important in health care. The American Academy of Physician Associates well stated why: “As the demographics in our nation are rapidly changing, increasing racial, ethnic, and cognitive diversity is crucial to achieving a workforce with the capacity to provide accessible and equitable healthcare.”37 There is ample evidence that a diverse workforce improves health care outcomes, fosters unique perspectives, bolsters employee engagement and retention, and helps to reduce health disparities. And there will continue to be case law interpreting the parameters of diversity programs, including to what extent those programs may acknowledge legally protected categories. Thus, it is important to remain up to date on the law in this area as it continues to evolve to ensure diversity programs remain legally compliant.

6. Reproductive Health Update: 2024

Joanne (Jody) Joiner, Tenet Healthcare
Gina L. Bertolini, K&L Gates LLP

+Listen to Episode 6

The U.S. Supreme Court’s 2022 opinion in Dobbs v. Jackson Women’s Health Organization (Dobbs) shifted the issue of abortion to the states and left a wake of uncertainty going into 2023 for individuals, families, health care providers, state legislatures, and state and federal regulators. That uncertainty continued throughout 2023, as states grappled with establishing statutory parameters around abortion and voters took to the polls largely in support of constitutional amendments protecting the right to abortion. We expect to see continued activity at the state level, including more attempts to address reproductive health issues through state constitutions, a strategy that has largely resulted in voters choosing to protect access to abortion using notions of personal autonomy, privacy, equal protection, and due process.38 In 2023, we also saw various federal agencies, including HHS, attempt to heed the Biden administration’s 2022 Executive Orders directing federal agencies to implement measures that protect reproductive freedom.39 Given the uncertainties of any presidential election, we expect the Biden administration to continue to direct federal agencies to take these steps, much like HHS’ Office for Civil Rights (OCR) has done with its proposed rule to limit certain disclosures of reproductive health care, and HHS’ Request for Information on requiring health plans to offer over-the-counter preventive items without a prescription or cost-sharing obligations.40 In reaction to that, and as a strategy to enforce more restrictive state laws, we expect to see a continuation of the challenges to federal agency authority, which states and private parties initiated in 2022 and 2023 in separate actions regarding (1) the Emergency Medical Treatment and Labor Act (EMTALA)41 and (2) the FDA’s approval of mifepristone (often referred to as “the abortion pill”).42

Two of the more significant issues for 2024 are set out below, which are discussed as of this writing in mid-December 2023.

Texas FDA Case. In Alliance for Hippocratic Medicine v. U.S. Food & Drug Administration,43 various physicians and physician groups sought to overturn several actions by the FDA44 related to mifepristone,45 arguing that the drug is unsafe. At issue were four FDA actions: (1) the FDA’s initial approval of mifepristone in 2000, which included a number of conditions on the use of the drug (2000 Approval); (2) changes the FDA made in 2016 to the previously imposed conditions on the use of mifepristone (2016 Amendments); (3) the FDA’s approval in 2019 of a generic form of the drug (2019 Generic Approval); and (4) the FDA’s 2021 decision not to enforce the requirement of in-person dispensing (2021 Non-Enforcement Decision), which was made permanent later that year (collectively, FDA Decisions).

The U.S. District Court for the Northern District of Texas, which initially heard the case, agreed with the plaintiffs and suspended all of the FDA Decisions, including the 2000 Approval. The Biden administration appealed to the Fifth Circuit.46 In August 2023, the Fifth Circuit ruled in favor of plaintiffs, in part, by affirming the district court’s order on the 2016 Amendments and the 2021 Non-Enforcement Decision, effectively rescinding those FDA actions on the basis that they violated the Administrative Procedure Act (APA) by overlooking important safety risks.47 The Fifth Circuit vacated the district court’s order on the 2000 Approval as time-barred and on the 2019 Generic Approval for failure to demonstrate injury.48 The FDA filed a petition for writ of certiorari to the U.S. Supreme Court, which the Court granted on December 13, 2023.49 In the meantime, mifepristone remains available consistent with the FDA’s current guidance, in accordance with the Supreme Court’s stay.

If the Fifth Circuit’s decision is upheld, all existing mifepristone pills (including generic versions) would need to be relabeled and distributed consistent with the original conditions placed on the drug with the 2000 Approval. Those conditions included a time-limit on use of the drug (through the seventh week of gestation), in-person clinic visits, and requiring the drug to be prescribed only by physicians. Currently, mifepristone accounts for over half of the abortions in the United States.50 If the Fifth Circuit decision is upheld, more restrictive conditions on medication abortions will apply and many of these procedures would shift to surgical abortion.

Additionally, both the district court’s and the Fifth Circuit’s rulings have significant ripple effects among the legal, medical, and scientific communities. The direct impact is an open door to judicial challenges regarding FDA decisions and decisions of other executive branch agencies, including decisions that are based on scientific or other specialized knowledge (e.g., engineering, accounting, clinical, technical). Pharmaceutical researchers, manufacturers, and investors face risk related to the research and development of innovative drugs, due to the uncertainty regarding reliability and longevity of FDA approvals. This could have a stifling effect on drug discovery and the development of new life-saving medications for patients.

OCR’s Proposed HIPAA Rule. In April 2023, OCR published an NPRM to protect reproductive health records.51 Because some states now criminalize abortion, OCR acknowledged an increase in law enforcement attempts to obtain protected health information (PHI) for use in civil and criminal proceedings, including reaching beyond their own states’ borders to investigate reproductive health care performed in states where the care is legal.52 To address this, OCR proposed to modify HIPAA by restricting health care providers’ use and disclosure of reproductive health records related to care that occurred in a state where the care was lawful. OCR also proposed to require an attestation prior to certain disclosures, including for law enforcement purposes.53

OCR currently has many competing priorities, including the 2021 proposed rule and proposed changes to the federal law that protects the confidentiality of substance use disorders. Additionally, due to limitations on how frequently HHS can modify a HIPAA standard or implementation specification (no more than once per 12-month period), OCR will need to coordinate these pending changes by finalizing them together or staggering them by at least 12 months.54 We expect that finalizing this NPRM will be a priority, particularly in a presidential election year and in light of the Biden administration’s enforcement priorities.

7. Tax-Related Developments to Watch in 2024

Douglas M. Mancino, Seyfarth Shaw LLP

+Listen to Episode 7

2024 should be a consequential year for nonprofit tax-exempt hospitals and health systems for a number of reasons.

Tax-Exempt Status Will Remain Under Fire. For the past several years, lawmakers, academics, private attorneys, and pundits have been highly critical of the levels of so-called community benefit nonprofit hospitals provide in exchange for the federal income and state property and sales tax exemptions they enjoy. In addition, the Internal Revenue Service (IRS) continues to compile data from Forms 990 Schedules H filed by nonprofit hospitals to compile required reports to Congress and to conduct compliance checks and targeted audits.

In most instances, the critics have used pre-pandemic data that do not reflect the serious losses many hospitals incurred in 2020 and 2021 as well as cherry-picked anecdotes especially about patient billing practices.

Nonprofit hospitals should expect stepped up compliance checks and targeted audits for Schedule H compliance in 2024 and increased assertions of the $50,000 excise tax for failure to conduct adequate community health needs assessments and implementation plans as the IRS responds to congressional pressures to step up enforcement levels. In addition, expect the IRS to become stricter about compliance with Section 501(r)’s requirements concerning billing and collection practices, financial assistance policies and practices, and public disclosure requirements. This is evident from IRS training materials and audit technique guidelines developed for use internally by the IRS and made available to the public through the Freedom of Information Act and other disclosures.

Executive Compensation Will Be Under Greater Scrutiny. Executive compensation paid to hospital and health system executives will also be under increased scrutiny by both the IRS and state and local property tax assessors.

First, nonprofit hospitals should expect increases in challenges to the reasonableness of the levels of compensation paid to executives for their current services. Levels of base and incentive compensation continue to increase in many instances at rates higher than inflation. In addition, many hospitals and health systems decided to make discretionary bonuses when incentive compensation thresholds were not met, requiring a plausible business judgment explanation other than “we wanted to keep our executives happy.” While reasonableness challenges are difficult for the IRS to win, hospitals and health systems need to remain diligent about matters such as peer group identification and compliance with Section 4958’s rebuttable presumption of reasonableness. In addition, document retention practices should be reviewed to ensure that data and reasonableness consultant and legal opinions remain available inasmuch as IRS audits are not typically commenced until at least a year or more after the Form 990 filing date.

Second, expect increased enforcement of compliance with Section 4960’s excise tax on compensation in excess of $1 million and on excess parachute payments paid upon a separation of service. Data published by academic writers showed that health care organizations should have accounted for more than half of the excise taxes owed for 2019, but IRS data for 2019 show a vastly lower level of compliance, and the IRS has gone on record stating it intends to increase the number of compliance checks, which may morph into full-blown audits if meaningful non-compliance is indicated. Also, the excise tax on excess parachute payment applies to highly compensated employees earning less than $1 million and with continued merger and acquisition activity in 2024, payouts under severance and change in control plans along with those due under unfunded deferred compensation arrangements may push levels of what might be considered reasonable to levels that are, under Section 4960’s unique calculation rules, excessive.

Finally, as evidenced by three 2023 Pennsylvania property tax decisions, Section 4960’s excise tax paid by a hospital or health system may be weaponized as evidence that executive compensation levels are excessive and therefore serve as a basis to deny property tax exemption.

8. Medicaid Managed Care: Many Proposals Likely to Be Finalized in 2024

Caroline M. Brown, Brown & Peisch PLLC
Julia M. Siegenberg, Brown & Peisch PLLC

+Listen to Episode 8

Historically, a presidential election year results in a flurry of agency rulemaking to avoid the risk that a new administration will withdraw, postpone, or substantially change the agency’s regulatory agenda. In the last 12 months, CMS has proposed a number of rules that would impact Medicaid and CHIP managed care entities (MCEs), most but not all of which are part of CMS’ May 2023 notice of proposed rulemaking on Medicaid and CHIP Managed Care, Access, and Quality.55 If past is prologue, many of these proposals are likely to be finalized in some form in 2024. Among things to keep an eye out for:

Payment Adequacy and Access. The proposed rules would require MCEs to provide the state with an annual “payment analysis” regarding the total amount paid for primary care, OB/GYN, mental health, and substance use disorder services as a percentage of what Medicare would have paid for the same services. MCEs would also have to report aggregate payments for homemaker services, home health aide services, and personal care services as a percentage of what the Medicaid fee-for-service program would have paid. In a separate rulemaking on Ensuring Access to Medicaid Services,56 also issued in May 2023, CMS proposed to require a Medicaid MCE covering long-term supports and services to assure that its rates were sufficient to provide access to services specified in an individual’s person-centered plan and that 80% of its compensation for certain home- and community-based services go to direct care workers.

Network Adequacy and Maximum Wait Times. The proposed managed care rule would require appointment wait time standards for Medicaid MCEs of no more than ten business days for routine appointments for outpatient mental health and substance use disorder and 15 days for primary care and OB/GYN appointments. States would be required to conduct “secret shopper” surveys to confirm that appointments are available within those time frames at least 90% of the time and to confirm that MCO provider directories are accurate and up to date.

Medical Loss Ratio (MLR). The MLR is a ratio equal to the sum of an MCE’s incurred claims (and certain expenditures for quality and fraud prevention) divided by adjusted premium revenue. CMS has proposed more stringent requirements regarding when incentive payments from MCEs to providers can be counted in the numerator of the MLR and clarified that state-directed payments paid separately from capitation payments should be included in the denominator.

Quality Rating System. CMS has also proposed to finalize its Medicaid and CHIP Managed Care Quality Rating System, under which MCEs will be evaluated on a number of mandatory quality measures. States will be required to use this system or a “substantially comparable” one approved by CMS and must publish the quality ratings on their websites. States would also need to develop robust search criteria that would allow users to stratify a plan’s quality metrics by dual eligibility status, race and ethnicity, sex, age, rural/urban status, disability, language of the enrollee, and any other factors specified by CMS.

Prior Authorization and Interoperability. In December 2022, CMS issued a proposed rule57 that would require managed care plans in government programs, including Medicaid and CHIP managed care entities, to build and maintain an application program interface (API) for Prior Authorization Requirements, Document and Decisions (PARDD) for all Medicaid items and services subject to prior authorization, other than prescription drugs. The PARDD API is intended to automate and streamline the process for providers to determine whether a prior authorization is required; identify prior authorization information and documentation requirements; and facilitate the exchange of prior authorization requests and decisions. In addition, the rule would establish turn-around times for prior authorization requests of 72 hours for expedited requests and seven calendar days for all standard requests.

Pharmacy Benefit Managers and Spread Pricing. In May 2023, CMS issued a proposed rule on the Medicaid Drug Rebate Program58 that would, among other things, require plans that contract with pharmacy benefit managers to separately report to states the amount spent for covered outpatient drugs (including associated dispensing fees) and other administrative costs (including any fees generated through spread pricing). In the same rulemaking, CMS proposed to require that Medicaid prescription identification cards include unique Medicaid identifiers (Bank Information Numbers and Processor Control Numbers).

Mental Health Parity. In August 2023, CMS (together with the Treasury and Labor Departments) published new proposed rules regarding mental health parity, specifically with respect to the comparative analyses required by the Consolidated Appropriations Act of 2021 to assess the impact of NQTLs on access to care.59 While those proposed rules do not apply to Medicaid and CHIP (which are not considered group health plans), Medicaid and CHIP MCEs are subject to mental health parity requirements generally, and in September 2023, CMS issued a “Request for Comments” as to how to assess compliance with these requirements.60 Among other things, CMS has requested input as to “measures or datapoints or other information that could help identify potential parity violations in Medicaid managed care,” including regarding provider network composition and standards such as reimbursement rates and credentialing.

9. Tracking Technology Remediation, Litigation, and Enforcement

Carolyn V. Metnick, Sheppard Mullin Richter & Hampton LLP

+Listen to Episode 9

Since the OCR published its bulletin on the use of online tracking technologies in December 2022 (Bulletin),61 many HIPAA-regulated entities (and particularly hospitals and health systems, which are often primary targets in plaintiffs’ litigation) have been investigating the technologies currently on their websites, applications, and portals; exploring remediation; and analyzing whether breach notification is required. This area will likely continue to evolve through 2024.

Tracking technologies, which include cookies, web beacons, pixels, and scripts, can collect, store, and analyze user activity across one or multiple web pages. They can be used for behavioral targeting, ad personalization, re-targeting, visitor profile building, and web analytics, among other purposes. OCR’s Bulletin describes how the use of tracking technologies by HIPAA-regulated entities can implicate HIPAA and emphasizes that regulated entities may not use tracking technologies in a manner that results in an impermissible use or disclosure of PHI in violation of HIPAA.

The Bulletin explains how HIPAA-regulated entities disclose information to tracking technology vendors through the use of technologies on their sites and distinguishes between authenticated and unauthenticated websites. Authenticated sites are those that require a user to login for access, while an unauthenticated site does not require a log in and is generally accessible to the public. The Bulletin provides that all individually identifiable health information collected on a regulated entity’s site is generally PHI, even if the individual does not have an existing relationship with the regulated entity, because it is “indicative that the individual has received or will receive health care services or benefits from the covered entity,” and therefore, it “relates to the individual’s past, present or future health or health care or payment for care.”62 The Bulletin further explains that authenticated webpages generally have access to PHI, and unauthenticated webpages generally do not, but in some cases, may have access to PHI.63 The Bulletin provides that a login page or a registration page generally are unauthenticated but if the user enters credentials on that page, the information is PHI. It further notes that unauthenticated sites that address “specific symptoms or health conditions, such as pregnancy or miscarriage, or that permit individuals to search for doctors or schedule appointments without entering credentials” may have access to PHI.64

Regulated entities have been forced to examine their websites, portals, and apps to determine whether technologies are in place that are collecting PHI and to analyze in each case whether the disclosure is permitted by the Privacy Rule. Because disclosures for marketing purposes require an individual’s authorization, disclosures for marketing without authorization are impermissible. Further, even where disclosures to tracking technology vendors have a permissible purpose under the Privacy Rule, HIPAA-regulated entities must still ensure that a business associate agreement is in place. To the extent a business associate agreement is not in place and PHI has been impermissibly disclosed, regulated entities must determine whether a breach has occurred and perform a risk assessment to determine the probability that the PHI was compromised. To further complicate matters, many third-party vendors are unwilling to enter into business associate agreements, and as a result, covered entities may need to look for new vendors and explore alternatives. In many cases, they are removing the technologies without replacing them at great cost and burden.

Beyond investigation and remediation, regulated entities must also deal with the threat of litigation. Plaintiffs’ lawyers continue to file new class actions weekly against covered entities, and we can only expect this trend to continue (particularly given how easy it is to determine on what pages tracking technologies are operating). While we have not yet seen any enforcement action from OCR, there have been hints that enforcement action may be coming. For example, in July 2023, the FTC and HHS sent joint warning letters to a reported 130 hospitals and telehealth providers warning about the use and risks of tracking technologies.65

On November 2, 2023, the American Hospital Association, the Texas Hospital Association, and the Texas Health Resources and United Regional Health Care System filed suit against the HHS Secretary and the OCR Director regarding the Bulletin.66 The lawsuit challenges the portion of the Bulletin that suggests that the use of tracking technologies on unauthenticated websites may be subject to HIPAA, alleging that HHS exceeded its authority under HIPAA and the First Amendment of the U.S. Constitution and that it failed to follow the rulemaking process as set forth in the Administrative Procedure Act. This case makes it clear that tracking technologies will continue to capture our attention through 2024.

10. Drug Pricing: 340B Developments to Watch

Jolee H. Bollinger, Sharp HealthCare
Andrew D. Ruskin, K&L Gates LLP

+Listen to Episode 10

Few stakeholders in health care will be surprised if 2024 demonstrates the usual burst of activity in the world of drug pricing. With the 2024 election, it is likely that both sides will campaign on increasing the affordability of prescription drugs. President Biden will almost certainly tout the Inflation Reduction Act of 2022 as a major victory, ushering in an era of Medicare drug price negotiation. If, however, the courts give the plaintiff manufacturers a win in their litigation to overturn the law, that might play well for his opponent. More germane to health care providers is the 340B Drug Discount Purchasing Program, which allows “covered entities” such as safety net providers to purchase prescription drugs at a substantial discount.67 By some estimates, purchasing under the 340B Program exceeded $53 billion in 2022.68 With health system finances still in recovery mode, the continued well-being of the program is extremely consequential. And yet, the path forward remains murky.

Among the reasons for uncertainty in the 340B Program is the ongoing litigation, by both manufacturers and covered entities, which has revealed large gaps in the structure of the statute itself. In 2021, manufacturers began to file lawsuits against the Health Resources and Services Administration (HRSA) challenging its “contract pharmacy” policy, which allows covered entities to enter into contracts with various retail pharmacies under which the pharmacies dispense drugs to patients on behalf of covered entities and receive replenishment with 340B drugs.69 The manufacturers, however, claimed that there is no obligation under the 340B Program statute to sell discounted drugs to contract pharmacies.70 The courts have struggled with interpreting the sparsely worded statute. In January 2023, the Third Circuit ruled essentially that HRSA could advise 340B Program stakeholders only on what is permitted, and not on what is required, resulting in manufacturers named in the suit being no longer required to sell drugs at 340B prices to contract pharmacies.71 Two other federal circuit courts have yet to rule on the matter.72

Somewhat symmetrically, the U.S. District Court for the District of South Carolina ruled in November 2023 that HRSA’s limitations on individuals who qualify as covered entity “patients” is also unlawful.73 HRSA issued a notice regarding its criteria for the definition of “patient” in 1996, and over time has informally modified its definition.74 Genesis Healthcare, facing exclusion from the 340B Program because HRSA believed it had engaged in unlawful “diversion,” sued to enjoin HRSA from enforcing its policy.75 Specifically, Genesis sought to use 340B drugs even for patients where the prescription originated outside of Genesis itself, violating HRSA’s informal rules. The court did not afford HRSA much deference, aligning with the Third Circuit’s “contract pharmacy” opinion, and found no support for HRSA’s position to define “patient” narrowly.76 While the decision only applies directly to Genesis, other covered entities are taking note of HRSA’s authority, or lack thereof. In other words, both manufacturers and covered entities are growing increasingly aware of their own ability to decide how to interpret requirements, where HRSA itself has diminished ability of its own.

The issues HRSA is facing to impose its interpretations on 340B Program stakeholders are not the result of its own actions, but rather the lack of delegated powers in the statute itself. It has become increasingly clear that a change in the statute is warranted. In June 2023, an ad hoc bipartisan committee of the Senate issued an open letter to 340B Program stakeholders seeking proposals for statutory reform.77 Many commenters addressed questions about the scope of the definition of patient, uses of 340B savings, and the continued availability of the contract pharmacy channel. Thus far, the committee has noted that it received robust comments, but has taken no visible action. More recently, Senator Bill Cassidy (R-LA) issued a letter to several health systems asking them to justify their participation in the 340B Program,78 underscoring that gaining consensus within Congress on 340B reform remains a tough task.

And yet, without congressional action, the trajectory from 2023 to 2024 is more chaos in the courts, as HRSA continues to find one policy after another struck down, jurisdiction by jurisdiction. There have been some indications that discrete groups of manufacturers and covered entities are coming together to develop compromises to present to Congress. For these ideas to germinate, stakeholders will need to identify common ground and acceptable trade-offs, which may be the avenue pursued as the statute’s flaws become clearer through continued litigation.

Lisa Amanti is currently Assistant General Counsel on the Legal team at athenahealth. She established and leads the team that performs legal review of emerging services, with a strong emphasis on data and privacy related matters, including artificial intelligence. Her team is dedicated to working collaboratively with cross-functional teams to enable Athena’s fast-paced innovation through new service offerings and strategic initiatives.

Katherine Snow is Privacy Counsel for Hinge Health Inc., where she provides advice to product and clinical teams in the digital health space. Prior to joining Hinge Health, Katherine served in similar roles for a value-based care provider, FEHB health plan, and health care system.

Alya Sulaiman is a technology lawyer and Partner at McDermott Will & Emery LLP, where she advises organizations on how to thrive in the digital age. Alya specializes in regulatory product counseling and technology transactions. Before joining McDermott, she previously served in a range of in-house roles including as corporate counsel and director of regulatory affairs for Epic, a global health care software company.

Kevin Malone is a Member of the Firm at Epstein Becker & Green PC and a Strategic Advisor in the firm’s affiliated consulting practice EBG Advisors. Kevin provides regulatory and strategic guidance related to health care financing law and policy at both the federal and state levels, with a particular focus on Medicaid, Medicare, behavioral health, long term care, and managed care. In addition to serving some of the largest companies in the health care industry, Kevin also works with start-ups, regional and local health care companies, trade associations, and state and local governments.

David Shillcutt is a Member of the Firm at Epstein Becker & Green PC. David’s practice is centered at the intersection of behavioral health, managed care, and regulatory compliance for payors, providers, and vendors, including a particular focus on the Mental Health Parity and Addiction Equity Act (MHPAEA) and related state requirements. David guides clients through complex regulatory thickets and internal operating silos to design forward-looking programs and strategies that build on the best available evidence and experience.

Rosa M. Morales is a counsel in Crowell & Moring’s Antitrust & Competition Group. Rosa counsels and represents clients on all aspects of antitrust and competition law, specializing in antitrust litigation, including government challenges, multi-district litigation, and class actions, as well as government investigations, arbitration, and merger reviews. Rosa’s work spans across various sectors with a focus on health care and pharmaceuticals, telecommunications and media, and financial services.

Alexis J. Gilman is a Partner in Crowell & Moring’s Antitrust & Competition Group and a former head of the Mergers IV Division of the Federal Trade Commission. Alexis advises and represents clients on a broad range of civil antitrust matters, including compliance counseling, merger reviews and clearances, government investigations, premerger Hart-Scott-Rodino (HSR) notifications, and antitrust litigation, with a particular focus on representing parties and third parties in merger investigations by the FTC, DOJ, and state attorneys general.

Jonathan A. Porter is a Partner of Husch Blackwell LLP in Savannah, Georgia. Jonathan helps health care providers with federal investigations and their toughest compliance issues. He is a former federal prosecutor, and during his time with the Justice Department, he prosecuted significant criminal cases in the health care industry and also investigated and litigated cases under the False Claims Act. Jonathan serves AHLA as one of the Vice Chairs of the Fraud and Abuse Practice Group. He also teaches white-collar crime as an adjunct professor at Mercer University School of Law in Macon, Georgia.

Tiffany Buckley-Norwood is an Associate Counsel for Trinity Health Corporation. As an experienced attorney and leader, she regularly applies her knowledge of the law, business acumen, and inclusive leadership skills to share information that adds value to critical business decisions. Tiffany delivers forward-thinking, sound, and practical advice on employee relations and compliance initiatives. She partners nationally and cross-functionally with human resources, senior leadership, and other relevant stakeholders on personnel, investigations, transactions, and other matters. Tiffany also is a Vice Chair of Education for AHLA’s Labor & Employment Practice Group. *Any statements in this article are Tiffany’s opinion and do not necessarily represent the views of Trinity Health.

Joanne (Jody) Joiner, is Senior Counsel for Tenet Healthcare in Dallas, Texas for which she provides legal advice related to health care operations for 14 hospitals and 16 imaging centers. Previously she was in-house legal counsel at Integris Health in Oklahoma City, Oklahoma. Prior to those roles, Ms. Joiner was a partner in the Polsinelli Law Firm in Kansas City, Missouri. During her 30 years of practicing law, she has also been Associate General Counsel for the Missouri Hospital Association in Jefferson City, Missouri and Assistant Attorney General for the State of Missouri. She also has been a faculty member at the University of Kansas School of Law, William Woods University, Columbia College, and The University of Texas at Dallas. *Ms. Joiner would like to recognize the assistance of Veda Tsai, a 2025 Juris Doctor Candidate at The University of Texas School of Law, in the preparation of this article.

Gina Bertolini, a Partner at K&L Gates LLP, advises health care clients on health care privacy and security and interoperability, fraud and abuse, and issues related to patient care and health care operations. As a former academic medical center in-house attorney, Gina frequently advises on the intersection of complex federal and state laws and the provision of health care, including reproductive health care post-Dobbs. Gina considers provider and patient needs while delivering nuanced and creative solutions to the complex interplay among federal and state policy, privacy, and emerging technology within the health care space.

Douglas M. Mancino is a Partner with Seyfarth Shaw LLP. He represents all types of health care and nonprofit organizations throughout the United States on tax, business, and financial matters. Doug has extensive experience in audits, appeals, and tax litigation. He has served as counsel to health care clients in a case that defined the limits of tax-exempt organizations participating in health care joint ventures and the tax-exemption of health plans. Doug has authored or co-authored five books and treatises, including Taxation of Hospitals and Health Care Organizations, and more than 110 articles concerning tax-exempt organization and health care issues. He is a former president of the American Health Law Association.

Caroline Brown is a founder and partner at Brown & Peisch PLLC, where her practice focuses on Medicaid and other federally-funded programs administered by state human services agencies. She counsels state agencies, consulting firms, and providers across the country on Medicaid regulations and guidance, including Medicaid upper payment limits (UPL), Medicare and Medicaid disproportionate share hospital (DSH) payments, certified public expenditures (CPE), graduate medical education (GME), Medicaid managed care, payment for home and community-based services, dual eligibles, provider taxes, and Section 1115 demonstration projects.

Julia Siegenberg is a senior associate at Brown & Peisch PLLC, where she works on matters relating to Medicaid and Medicare, as well as non-health care federal entitlement programs administer by state governments. Julia advises clients on Medicaid regulations and guidance, represents clients before the HHS Departmental Appeals Board, and defends clients in complex federal court litigation matters. Her practice also includes counseling clients on compliance with federal privacy, security, and confidentiality laws, including the application of HIPAA and Part 2 to government-sponsored health care programs.

Carolyn V. Metnick is a Partner in the Corporate Practice Group in Sheppard Mullin Richter & Hampton LLP’s Chicago office and a member of the Healthcare and Privacy & Cybersecurity Teams. Carolyn represents a range of health care industry clients, including hospitals and health systems, physician organizations, and digital health companies. She advises on health care regulatory and transactional matters with a focus on health information privacy and security. Carolyn is a Certified Information Privacy Professional/United States (CIPP/US) and a Certified Information Privacy Professional/Europe (CIPP/E).

Jolee H. Bollinger serves as Deputy General Counsel at Sharp HealthCare in San Diego, California. She previously served as General Counsel for Franciscan Missionaries of Our Lady Health System in Baton Rouge, Louisiana.

Andrew D. Ruskin is a Partner in K&L Gates LLP’s Washington, DC office. He is a member of the Health Care and FDA practice group. Andy’s practice concentrates on the myriad ways that Medicare and Medicaid reimbursement and compliance shape the U.S. health care ecosystem. Andy provides practical guidance on compliance with a wide range of regulatory requirements, including the Provider Based Rule, rules governing graduate medical education, 340B compliance, and clinical trial reimbursement rules. A recognized thought leader and an active member of industry organizations, Andy serves as the current Chair of the American Health Law Association’s Institute on Medicare and Medicaid Payment Issues.

1 This article was written in mid-December 2023, and it is likely that there have been developments in AI policy and regulation between then and the publication date.

3 White House, FACT SHEET: Biden-Harris Administration Secures Voluntary Commitments from Eight Additional Artificial Intelligence Companies to Manage the Risks Posed by AI (Sept. 12, 2023),

4 Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (Oct. 30, 2023),

5 Dep’t of Health and Human Servs. Office for Civil Rights, HIPAA Administrative Simplification,

6 Nat’l Inst. of Standards and Tech., AI Risk Management Framework,

7 ONC, Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) Final Rule,

8 The Mental Health Parity Act of 1996 (MHPA), Pub. L. No. 104-204, Tit. VII, §§ 701-702, 100 Stat. 2874, 2944-50 (Sept. 26, 1996), prohibited the imposition of annual or lifetime dollar limits on mental health (MH) benefits that were more restrictive than the annual or lifetime dollar benefits applied to medical/surgical benefits in large employer-sponsored plans. However, it did not apply to substance use disorder (SUD), other employer types or insurance issuers, and did not restrict the use of discriminatory quantitative benefit limits or cost sharing, or to non-quantitative limits like categorical benefit exclusions for MH or SUD services.

9 See Gov’t Accountability Office, GAO-12-63, Mental Health and Substance Use: Employers’ Insurance Coverage Maintained or Enhanced Since Parity Act, but Effect of Coverage on Enrollees Varied (Nov. 2011),

10 CMS issued separate regulations in the Medicaid and CHIP parity final rules, 81 Fed. Reg. 18390 (Mar. 30, 2016) (codified at 42 C.F.R. pts. 438, 440, 456, and 457).

11 See Gov’t Accountability Office, GAO-22-104597, Mental Health Care: Access Challenges for Covered Consumers and Relevant Federal Efforts (Mar. 2022),

12 The Tri-Agencies have jointly issued 15 sets of Frequently Asked Questions with 96 questions, eight enforcement fact sheets, six compliance assistance tools and templates, seven reports to Congress, six press releases, and seven consumer publications.

13 See MHPAEA Comparative Analysis Report to Congress, July 2023.

14 I.R.C. § 9812(a)(8)(A), ERISA § 712(a)(8)(A), and PHS Act § 2726(a)(8)(A).

15 See MHPAEA Comparative Analysis Report to Congress, July 2023.

16 88 Fed. Reg. 51552 (Aug. 3, 2023).

17 Center for Medicaid & CHIP Services, Request for Comments on Processes for Assessing Compliance with Mental Health Parity and Addiction Equity in Medicaid and CHIP (Sept. 2023),

18 598 U.S. 739 (2023).

19 75 F.4th 778 (7th Cir. 2023).

20 See United States v. Fesenmaier v. The Cameron-Ehlen Group, Case No. 0:13-cv-3003 (D. Minn.), Doc. 1042 (judgment).

21 See United States v. Adams, Case No. 4:18-cv-191 (N.D. Ga.), Doc. 264 (judgment).

22 Jeff Overley, FCA Chases ‘Shrewder’ Kickbacks As 50-Year Hunt Intensifies, Law360, May 10, 2023 (quoting whistleblower attorney),

23 S. 659.

24 See United States ex rel. Greenfield v. Medco Health Sols., Inc., 880 F.3d 89 (3d Cir. 2018).

25 See United States ex rel. Cairns v. D.S. Med. LLC., 42 F.4th 828 (8th Cir. 2022).

26 See United States ex rel. Martin v. Hathaway, 63 F.4th 1043 (6th Cir. 2023).

27 Cairns, 42 F.4th at 836.

28 Compare United States v. Teva Pharms. USA, Inc., 2023 WL 4565105, at *5 (D. Mass. July 14, 2023) (following Third Circuit’s approach) with United States v. Regeneron Pharms., Inc., No. 20-11217, Doc. 351 at 21 (D. Mass. Sept. 27, 2023) (following Sixth and Eighth Circuits’ approaches and requiring but-for causation).

29 Students for Fair Admissions, Inc. v. President & Fellows of Harvard Coll., 600 U.S. _____ (2023).

30 For private entities, such as Harvard, that receive federal financial assistance, Title VI of the Civil Rights Act, 42 U.S.C. § 2000d states: “No person in the United States shall, on the ground of race, color, or national origin, be excluded from participation in, be denied the benefits of, or be subjected to discrimination under any program or activity receiving Federal financial assistance.”

31 For public entities, such as UNC, the federal Equal Protection Clause (U.S. Const. Fourteenth Amendment § 1) prohibits “deny[ing] to any person within its jurisdiction the equal protection of the laws” based on race.

32 While the Students for Fair Admissions case focused on laws prohibiting selection decisions based on race, there are other laws that prohibit selection decisions based on other categories. For example, Title VII of the Civil Rights Act, 42 U.S.C. § 2000e et seq., prohibits employment decisions based on race, color, religion, sex (including pregnancy, sexual orientation, and gender identity), and national origin. The Age Discrimination in Employment Act, 29 U.S.C. § 623, prohibits employment decisions based on age.

33 U.S. Dep’t of Justice and U.S. Dep’t of Education, Advance Diversity and Opportunity in Higher Education: Justice and Education Departments Release Resources to Advance Diversity and Opportunity in Higher Education (Aug. 14, 2023),

34 U.S. Equal Employment Opportunity Comm’n, Press Release, Statement from EEOC Chair Charlotte A. Burrows on Supreme Court Ruling on College Affirmative Action Programs (June 29, 2023),

37 Kayingo G, Bradley-Guidry C, Burwell N, Suzuki S, Dorough R, Bester V, Assessing and benchmarking equity, diversity, and inclusion in healthcare professions, JAAPA 35(11):p 51-54 (Nov. 2022).

38 Since the Dobbs decisions, seven states have enacted constitutional amendments supporting access to abortion. See Geoff Mulvihill, Associated Press, Here are the states where abortion access may be on the ballot in 2024, PBS NewsHour, Nov. 8 2023,

39 E.O. 14079 (Aug. 3, 2022), 87 Fed. Reg. 49505; E.O. 14076 (Jul. 8, 2022), 87 Fed. Reg. 42053.

40 Notice of Proposed Rulemaking, HIPAA Privacy Rule to Support Reproductive Health Care Privacy, 88 Fed. Reg. 23506 (Apr. 17, 2023); Notice of Proposed Rulemaking, HHS Request for Health Plans to Offer Over-the-Counter Contraceptives without a Prescription, 88 Fed. Reg. 68519 (Oct. 4, 2023).

41 See, e.g., State of Texas v. Becerra, No. 23-10246, (5th Cir.), March 10, 2023 (appealing Texas v. Becerra, 623 F. Supp. 3d 696 (N.D. Tex. 2022)); and United States v. Idaho, 82 F.4th 1296 (9th Cir. 2023) (granting re-hearing en banc of United States v. Idaho, 2023 WL 3284977 (D. Idaho May 4, 2023)).

42 Washington v. United States Food & Drug Admin., No. 1:23-CV-3026-TOR, 2023 WL 2941567 (E.D. Wash. Apr. 13, 2023); All. for Hippocratic Med. v. U.S. Food & Drug Admin., 78 F.4th 210 (5th Cir. 2023).

43 All. for Hippocratic Med. v. U.S. Food & Drug Admin., 78 F.4th 210 (5th Cir. 2023).

44 Danco Laboratories, LLC (Danco), the pharmaceutical company that manufactures mifepristone, entered the case as intervenor.

45 Mifepristone is part of a two-drug treatment to terminate a pregnancy or manage a miscarriage in a process that includes taking mifepristone followed by misoprostol. All. for Hippocratic Med. v. U.S. Food & Drug Admin., 78 F.4th 210 (5th Cir. 2023).

46 The Biden administration appealed to the Fifth Circuit and requested a stay on the lower court’s ruling, but the Fifth Circuit only stayed the district court’s decision on the 2000 Approval. The Biden administration appealed to the U.S. Supreme Court, which stayed the entire district court order. Id. at 227.

47 Id. at 256.

48 The Fifth Circuit’s holding is subject to the Supreme Court’s prior order, which stayed the district court’s order pending resolution of the Fifth Circuit appeal and disposition of any petition for writ of certiorari. Id. at 223.

49 Food & Drug Admin. et al. v. Alliance for Hippocratic Medicine et al., 78 F.4th 210 (5th Cir. 2023), cert. granted (U.S. Dec. 13, 2023) (No. 23-235).

50 Nat’l Acads. of Sci., Eng’g. & Med., The Safety and Quality of Abortion Care in the United States 152 (2018).

51 88 Fed. Reg. 23506 (Apr. 17, 2023).

52 Id. at 23519.

53 Id. at 23523.

54 45 C.F.R. § 160.104.

55 88 Fed. Reg. 28092 (May 3, 2023).

56 88 Fed. Reg. 27960 (May 3, 2023).

57 87 Fed. Reg. 76238 (Dec. 13, 2022).

58 88 Fed. Reg. 34238 (May 26, 2023).

59 88 Fed. Reg. 51552 (Aug. 3, 2023).

60 See supra, note 17.

61 Dep’t of Health and Human Servs. Office for Civil Rights, Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,

62 Id.

63 Id.

64 Id.

65 Fed. Trade Comm’n, Model Letter: Use of Online Tracking Technologies (July 20, 2023),

66 American Hosp. Ass’n et al. v. Rainer et al., No. 4:23-cv-01110-P (N.D. Tex. 2023).

67 Public Health Service Act, § 340B (340B Program).

68 See, e.g., Drug Channels, EXCLUSIVE: The 340B Program Reached $54 Billion in 2022—Up 22% vs. 2021 (Sept. 24, 2023),

69 See, e.g., AstraZeneca Pharmaceuticals LP v. Becerra, C.A. 1:21-cv-27 (original complaint filed Jan. 12, 2021).

70 See, e.g., id.

71 Sanofi Aventis U.S. LLC v. Becerra, 58 F.4th 696, 704 (Jan. 30, 2023).

72 Similar cases are pending before the Seventh and D.C. Circuits.

73 Genesis Health Care, Inc. v. Becerra, No. 4:19-cv-01531-RBH, 2023 WL 7549156 (D.S.C. Nov. 3, 2023).

74 Id. at *2 (citing to 61 Fed. Reg. 55156-01, 55157 (Oct. 24, 1996)).

75 Id. at *6.

76 Id. at *8 (noting that HRSA was only entitled to the less deferential Skidmore test).

78 United State Senate Committee on Health, Education, Labor & Pensions, Ranking Member Cassidy Opens Investigation into Hospital Revenue Generated by 340B Drug Program, Sept. 28, 2023,

Top Ten Issues in Health Law 2024 Podcast Series

Based on this year's article, a special 10-part podcast series has been created, bringing together thought leaders from across the health law field to discuss the top ten issues of 2024.

AHLA thanks PYA for their support of this series:


Watch and Listen to the Series