2024 is shaping up to be a very active year for regulatory and enforcement developments in the healthcare industry – developments that concern not just hospitals and nursing facilities, but many non-healthcare companies as well, including technology companies, that engage in business practices directly creating compliance risk for the industry.
Among the top new regulatory and enforcement initiatives that either have already entered force or will be forthcoming in 2024 include:
- Higher penalties for violations of the Health Insurance Portability and Accountability Act (HIPAA)
- New policy initiatives to scrutinize healthcare-related anticompetitive practices
- New healthcare-specific cybersecurity requirements
- Enhanced oversight of private equity (PE) firms’ ownership structures
- New regulations addressing the use of artificial intelligence in healthcare
In short, 2024 promises to be an especially busy year for chief compliance officers, chief risk officers, and their counsel across many sectors and subsectors of the healthcare industry.
This post, the first in a three-part series, will cover the increase in enforcement action for the healthcare industry.
Increased oversight and enforcement
With these regulatory and enforcement developments, the U.S. Department of Health and Human Services (HHS) will not be the only agency enhancing its oversight over HIPAA violations and non-compliant patient health and safety practices, generally. Other federal agencies focusing on the healthcare industry will be the Antitrust Division of the U.S. Department of Justice (DOJ), the U.S. Federal Trade Commission (FTC), and the Cybersecurity and Infrastructure Security Agency (CISA) as it relates to cybersecurity practices in health care.
OCR and FTC enforcement of online tracking technologies
One area of HIPAA non-compliance federal agencies will be paying continued attention to is the use of online tracking technologies by hospitals and telehealth providers, particularly.
In a joint letter sent in July 2023 to approximately 130 healthcare organizations, the Office for Civil Rights (OCR) and the FTC cautioned hospitals and telehealth providers about “privacy and security risks related to the use of online tracking technologies” that may be present on their websites or mobile applications and that impermissibly could be disclosing consumers’ sensitive personal health information (PHI) to third parties.
While OCR administers and enforces compliance with the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules), which set minimum privacy and security standards for PHI, the FTC enforces deceptive or unfair business practices, including the misuse and exploitation of PHI.
Because tracking technologies are used to collect and analyze information on users’ interactions with websites or mobile apps, the HHS and FTC in their joint letter remind healthcare organizations of their compliance obligations under the HIPAA Rules when using tracking technologies related to PHI. As OCR Director Melanie Fontes Rainer warned, “OCR continues to be concerned about impermissible disclosures of health information to third parties and will use all of its resources to address this issue.”
Samuel Levine, director of the FTC’s Bureau of Consumer Protection, similarly warned, “The FTC is, again, serving notice that companies need to exercise extreme caution when using online tracking technologies and that we will continue doing everything in our powers to protect consumers’ health information from potential misuse and exploitation.”
The OCR and FTC further stressed that companies not covered by HIPAA – such as digital healthcare platforms – also have a responsibility to prevent unauthorized disclosure of PHI. Through a series of recent enforcement actions, the FTC forewarned companies to monitor the flow of PHI to third parties that use tracking technologies, because unauthorized disclosure could constitute a violation of the FTC Act and a security breach under the FTC’s Health Breach Notification Rule.
Risk and compliance professionals of HIPAA-covered entities and business associates seeking further guidance should refer to the OCR’s December 2022 bulletin, which provides further clarity on not just what tracking technologies are, but how the HIPAA Rules apply. They should also familiarize themselves with the requirements under the FTC’s Health Breach Notification Rule.
HHS Compliance Program Guidance
On Nov. 6, 2023, the HHS Office of the Inspector General (OIG) issued its long-awaited General Compliance Program Guidance (GCPG), a one-stop-shop reference guide for the healthcare compliance community.
From a resource standpoint, the GCPG provides an extensive overview of certain federal healthcare laws – including the Anti-Kickback Statute, Stark Law, False Claims Act, and HIPAA – and related enforcement actions. The GCPG further provides a long list of OIG processes and resources, including Advisory Opinions, Special Fraud Alerts, Corporate Integrity Agreements, and more.
The most significant portion of the GCPG discusses each of the “seven elements” of a robust compliance program:
- Written policies and procedures
- Compliance leadership and oversight
- Training and education
- Effective lines of communication with the compliance officer
- Enforcing standards: Consequences and incentives
- Risk assessments, auditing, and monitoring
- Responding to offenses and developing corrective action initiatives
The GCPG further devotes an entire section on how small entities can meet the above seven elements, even with limited resources. Some recommended measures include, for example, designating an individual as the compliance contact with responsibility for ensuring the completion of compliance activities; having in place policies, procedures, and training; fostering a culture that facilitates communications about compliance concerns; and more.
Conclusion
Many of the top regulatory and enforcement themes for the healthcare industry in 2024 are mentioned in the GCPG. For example, the guidance stresses that compliance with the HIPAA Rules “should be a top compliance priority and included in all risk assessments.”
The GCPG also directly addresses new entrants in the healthcare industry, including technology companies. Specifically, the OIG noted in the guidance that many business practices that are common in other sectors create compliance risk in healthcare, including potential criminal, civil, and administrative liability.
Practically speaking, the compliance message for new entrants, according to OIG, is to “take steps to ensure that they and any business partners possess a solid understanding of the federal fraud and abuse laws, in addition to other applicable laws, and that they possess an understanding of the critical role an effective compliance program plays in preventing, detecting, and addressing potential violations.” OIG added that new entrants should use the GCPG as a practical tool to assist them in “establishing and operating effective compliance programs for healthcare lines of business.”
To learn more about how NAVEX can help keep your healthcare organization compliant with current and upcoming regulations, check out our solutions by industry.