Client Alert

Three Key Changes to Breach Notification Law

The New York General Business Law § 899-aa, also known as, the New York Stop Hacks and Improve Data Security Act (“SHIELD Act”), was amended in three key aspects: (1) a new 30-day breach notification timeframe, (2) a new notice requirement for New York Department of Financial Services (“DFS”) regulated entities, and (3) an amended definition of “Private Information.”

The SHIELD Act requires persons and businesses that own or license data containing Private Information to notify affected New York residents, certain state regulators, and consumer reporting agencies following a security “breach” of that information. The recent amendment now sets forth an explicit 30-day notification timeline, instead of the previous requirement to notify “in the most expedient time possible and without unreasonable delay.” The recent amendment to the SHIELD Act also introduces a new requirement for DFS-regulated entities that experience a breach to notify DFS, the New York State attorney general, the New York Department of State and the state police. These requirements became effective as of December 21, 2024.

The definition of “Private Information” under the SHIELD Act was expanded to explicitly include medical and health insurance information. Under the SHIELD Act, notice of a breach of any Private Information is required to be provided to the affected resident. Under the amended statute, Private Information now includes personal information consisting of “…(v) medical information regarding an individual’s medical history, mental or physical condition or medical treatment or diagnosis by a health care professional; or (vi) health insurance information including an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify an individual or any information in an individual’s application and claims history, including but not limited to, appeals history….”

Previously, the statute did not specifically require notifications for breaches that impacted medical or health insurance information. While HIPAA-covered entities are deemed compliant, and therefore exempt from the SHIELD Act’s security requirements with respect to electronic Protected Health Information (“ePHI”), healthcare providers and other organizations that process any New York resident’s Private Information must still comply with respect to non-ePHI, including the thirty (30) day notification requirement for any breach of Private Information.

For more information and regulatory guidance, please contact Robert Braumuller or Zaina S. Khoury at RBraumuller@bpslaw.com or ZKhoury@bpslaw.com.

New York State Laws Impose New Requirements for Patient Consent and Use of Credit Cards for Medical Services.

Enacted as part of New York State’s health and mental hygiene budget legislation for fiscal year 2024 through 2025, New York Public Health Law Section 18-c will become effective on October 20, 2024 to require healthcare providers to issue separate patient consent forms for treatment and for payment for services. The law also provides that “Consent to pay for any health care services by a patient shall not be given prior to the patient receiving such services and discussing treatment costs.”

The New York Department of Health has not yet issued its expected guidance on how health care providers should implement these new requirements. For example, how may health care providers collect payment if they furnish treatment before the patient agrees to pay and the patient refuses to pay any amount for the service?

The legislation also amends the NY General Business Law (“GBL”) by adding two new sections 349–g and 519–a. These provisions prohibit hospitals and health care providers from:

• Completing any portion of an application for medical financial products for the patient or otherwise arranging for or establishing an application that is not completely filled out by the patient.
• Requiring credit card pre-authorization or requiring the patient have a credit card on file prior to providing emergency or medically necessary medical services to such patient.

NY GBL § 519–a requires hospitals and health care providers to “notify all patients about the risks of paying for medical services with a credit card. Such notification shall highlight the fact that by using a credit card to pay for medical services, the patient is forgoing state and federal protections that regard medical debt. The commissioner of health shall have the authority and sole discretion to set requirements for the contents of such notices.” To comply with this requirement, healthcare providers should update their financial responsibility consent forms to state the following: “The patient understands that the use of a credit card on file and/or credit card preauthorization is a convenience that the patient is electing to utilize, is not a condition to treatment, and that by using a credit card, the patient is foregoing state and federal protections regarding medical debt.”

We will continue to monitor all legislative developments. If you have questions regarding these new requirements, please contact BPS’s Health Law attorneys, Robert Braumuller (914-287-6185 or rbraumuller@bpslaw.com) and Zaina Khoury (914-287-6187 or zkhoury@bpslaw.com)

NYSDOH Proposed Regulations on In-Person Medical Evaluation Requirements and Exceptions for Controlled Substance Prescribing

In response to the COVID-19 public health emergency (PHE), the U.S. Department of Health and Human Services (DOH) waived the Ryan Haight Act’s requirement that at least one in-person medical evaluation take place prior to issuance of a prescription for controlled substances via telehealth. The flexibility granted by DOH allowed telemedicine to be used in place of the in-person evaluation for the prescription of schedule II-V controlled substances. Since the conclusion of the federally declared PHE, the Drug Enforcement Administration (DEA) issued two temporary rules, the last of which extended the rules through December 31, 2024 to permit the prescription of controlled medications through telemedicine.

In light of this impending expiration, on May 15, 2024, the New York State Department of Health (NYSDOH) proposed amendments to Sections 80.62, 80.63, and 80.84 of Title 10 of the Official Compilation of Codes, Rules, and Regulations to align with the DEA’s policy permitting the prescription of controlled substance medications via telemedicine. For example, the proposed regulations adopt the federal regulatory term “in-person medical evaluation” in lieu of the current NY regulatory phrase “physical examination”.

If adopted, these proposed regulations will limit the circumstances in which a controlled substance can be prescribed in the absence of an in-person medical evaluation of the patient by the prescribing practitioner. If the regulations go into effect as proposed, a controlled substance may be prescribed without an in-person medical evaluation, only under the following circumstances:

1. When utilizing a consulting and referring practitioner for their patient if the patient’s medical record includes an in-person medical evaluation for the specific medical condition within 12 months performed by the practitioner who referred the patient.
2. For a covering practitioner in the temporary absence of the initial prescriber as part of continuing therapy for the patient if the covering practitioner is a part of the same practice or has direct consultation with the initial prescriber confirming the necessity of the prescription.
3. For a new condition in an emergency, provided that there is a pre-existing practitioner-patient relationship, the immediate administration of the drug is necessary, no alternative treatment is possible, and the prescription does not exceed a five-day supply.
4. Through telemedicine – as such term is defined by article 29-G of the Public Health Law.

The new NYSDOH regulations align with the DEA requirement that prescribers of controlled substances using telehealth must use audio-visual, real-time two-way interaction and write the prescriptions only for legitimate medical purposes. The proposed regulations also seek to align with federal law by removing outdated references to a DEA requirement for prescribing buprenorphine and a patient number limitation which are no longer in effect. Further, the outdated phrase “narcotic addiction” is now replaced with the term “opioid use disorder”.

As the DEA considers permanent changes to federal rules governing the prescription of controlled substances, given NYDOH’s additional intent to align NYS regulations with the federal rules, it is likely that NYDOH will propose revisions to its proposed regulations.

We will continue to monitor all developments. Contact Robert Braumuller at (914) 287- 6185 or rbraumuller@bpslaw.com for additional information.

Material Health Care Transactions in New York Subject to DOH Disclosure and Public Comment

A new Article 45-A, titled “Disclosure of Material Transactions,” was added to the New York Public Health Law as part of the 2024 New York State Executive Budget law that Governor Kathy Hochul signed on May 3, 2023. This new legislation will substantially increase regulatory oversight by the New York State Department of Health (“DOH”) over large health care transactions. 

It applies to “health care entities,” which are broadly defined to include physician groups, management services organizations (“MSOs”), health insurance plans, and any other health care facility, organization or plan providing health care services in the state, subject to specified exclusions.  Starting August 1, 2023, health care entities must provide written notice to DOH of “material transactions” at least thirty (30) days prior to the closing of the proposed transaction. The final legislation does not include a provision in earlier versions of the legislation that would have required health care entities to receive DOH approval prior to closing such transactions.

A “material transaction” includes a single transaction or series of related transactions within a rolling twelve-month period, involving: health care entity mergers, acquisitions, affiliations, the formation of partnerships, joint ventures, accountable care organizations, parent organizations or management services organizations “for the purpose of administering contracts with health plans, third party administrators, pharmacy benefit managers, or health care providers.” Article 45-A specifically excludes from state oversight under the new law a “de minimis transaction,” which would result in a health care entity increasing its total gross in-state revenue by less than $25 million.

Written notice of such transactions shall include:

• the names of  the parties to the material transaction and their current addresses;
• copies of any definitive agreements governing the  terms  of  the material transaction, including pre- and post-closing conditions;
• identification of all  locations where health care services are currently provided by each party and the revenue generated in the  state from such locations;
• any plans to reduce or eliminate services and/or participation in specific plan networks;
• the closing date of the proposed material transaction;
• a brief description of the nature  and  purpose  of  the  proposed material transaction including: (i) the anticipated impact of the material transaction on cost, quality,  access,  health  equity,  and  competition in the impacted markets, which may be supported by data and a formal market impact analysis; and (ii) any commitments by the health care entity to address  anticipated impacts.

After written notice is provided, DOH will post a summary of the proposed transaction and other information provided on its website to permit the public to comment on the proposed transaction prior to closing. Health care entities that fail to comply with the new law are subject to civil penalties for each day in which the violation persists.

The new legislation takes effect on or about August 1, 2023, and grants DOH the authority to implement regulations regarding the disclosure process. Healthcare entities subject to the new law should evaluate planned transactions and keep apprised of subsequent DOH guidance to ensure compliance and avoid penalties.

For more information on navigating these new requirements and other regulatory guidance, please contact Robert Braumuller or Zaina S. Khoury, at RBraumuller@bpslaw.com or ZKhoury@bpslaw.com.

Proposed HIPAA Privacy Rule Change to Strengthen Privacy Related to Reproductive Health

In the wake of the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, the Department of Health & Human Services Office for Civil Rights (“OCR”) has issued a Notice of Proposed Rulemaking to modify the Health Insurance Portability and Accountability Act’s (“HIPAA”) Privacy Rule to prohibit the use or disclosure of protected health information (“PHI”) to investigate or prosecute patients and providers involved in the provision of legal reproductive health care.

The Privacy Rule currently permits certain disclosures of PHI to law enforcement authorities and others. This provision will remain in effect while HHS solicits comments on its proposed rule change.  The proposal seeks to prohibit the disclosure of reproductive health care PHI to state law enforcement authorities for use in bringing criminal, civil, or administrative actions against patients for obtaining reproductive health care, including abortions, and against their health care providers for rendering the care.

Specifically, 45 C.F.R. §164.502 would be amended to prohibit the use or disclosure of PHI by a regulated entity for either of the following purposes:

• A criminal, civil, or administrative investigation into or proceeding against any person in connection with seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
• The identification of any person for the purpose of initiating such investigations or proceedings.

The new rule would apply where the relevant criminal, civil, or administrative investigation or proceeding is in connection to: (1) reproductive health care sought, obtained, provided, or facilitated in a state where the health care is lawful and outside of the state where the investigation or proceeding is authorized; (2) reproductive healthcare that is protected, required, or authorized by federal law, regardless of the state in which such health care is provided; or (3) reproductive healthcare provided in the state in which the investigation or proceeding is authorized and that is permitted by the law of that state.

The proposal also would add a new section 45 C.F.R. §164.509, which would require a regulated entity, upon receipt of a request for PHI related to reproductive healthcare, to obtain a signed attestation that the use or disclosure of such PHI is not for a prohibited purpose. The attestation requirement would apply when the request is for PHI pursuant to health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures to coroners and medical examiners.

OCR Director Melanie Fontes Rainer commented on the proposal stating: “Today’s proposed rule is about safeguarding this trust in the patient-provider relationship, and ensuring that when you go to the doctor, your private medical records will not be disclosed and used against you for seeking lawful care.”

The proposed rule was published in the Federal Register on April 17, 2023, with public comments due by June 17, 2023.

For more information and regulatory guidance, please contact Robert Braumuller or Zaina S. Khoury, at RBraumuller@bpslaw.com or ZKhoury@bpslaw.com.

Governor Hochul Signs Legislation Banning Use of Liens and Wage Garnishments in Medical Debt Collection

On November 29, 2022, New York Governor Kathy Hochul signed legislation (S.6522A/A.7363A) prohibiting health care providers from placing liens on a patient’s primary residence and from garnishing wages in furtherance of medical debt collection.  “No one should face the threat of losing their home or falling into further debt after seeking medical care,” Hochul said in a press release.

The main provisions of the new law, effective immediately, include the following:

• With respect to property liens: “No property lien shall be entered or enforced against a debtor’s primary residence in an action arising from a medical debt and brought by a hospital licensed under article twenty-eight of the public health law or a health care professional authorized under title eight of the education law.”
• With respect to wage garnishments: “No amount shall be imposed in judgments arising from a medical debt action brought by a hospital licensed under article twenty-eight of the public health law or a health care professional authorized under title eight of the education law.”

Governor Hochul said that the law is designed to protect “consumers from abusive and punitive practices that lead to increased and undeserved financial pressure.” More than 50,000 New Yorkers have been sued for medical debt over the past five years with 8% of New Yorkers, or 1.6 million people, having delinquent medical debt marring their credit reports.

Prior to the passing of the new law, healthcare providers and hospitals could impose and enforce liens on a patient’s primary residence to satisfy a judgment in a medical debt lawsuit as well as garnish a patient’s wages by court order directing their employer to withhold earnings to satisfy the medical debt. The law will hinder the ability of healthcare providers to collect unpaid bills for medical care provided to their patients, making it more important to require their patients to give adequate financial assurances prior to treatment.

Bleakley Platt’s Health Law Practice Group can assist in navigating the constraints of the new legislation to ensure practices remain compliant with dictates imposed by this new state law. For further information, contact Robert Braumuller or Zaina S. Khoury, at RBraumuller@bpslaw.com or ZKhoury@bpslaw.com.

OMIG’s Proposed Regulations Could Require Substantial Changes to Medicaid Providers’ Compliance Programs

Medicaid enrolled health care providers in New York should be aware that on July 13, 2022, the New York Office of Medicaid Inspector General (“OMIG”) published proposed regulations that would substantially alter the compliance program requirements for all Medicaid enrolled health care providers and Medicaid managed care organizations (“MMCO”) and codify OMIG’s self-disclosure program. The public comment period for the proposed regulations summarized below will end on Sunday, September 11, 2022.

The proposed regulations would require Medicaid providers to include a provision in their contracts to oblige vendors to comply with the compliance program and permit the provider to terminate the contract for failure to do so. The proposed Subpart 521-1 provides for the provision of additional requirements for an effective compliance program and amends the definition of a “Required Provider” obligated to adopt and implement effective compliance programs to now include Medicaid managed care organizations (“MMCO”) or Long-Term Care Providers (“MLTC”), in addition to any entity subject to Article 28 or 36 of the Public Health Law or Article 16 or 31 of the Mental Hygiene Law.

MMCO’s with 10,000 or more enrollees are currently required to incorporate a fraud, waste, and abuse prevention program into their compliance programs, but Subpart 521-2 would expand applicability to MMCO’s of all sizes, regardless of enrollment. The proposal also would require MMCO’s with 1,000 or more enrollees to establish a full-time Special Investigation Unit (“SIU”) comprised of one full-time investigator and one director. An additional investigator must be employed for each 60,000 enrollees for most MMCOs or for each 6,000 enrollees for MLTCs, unless OMIG gives prior approval for alternative staffing levels. The proposed regulations impose on MMCOs the obligation to audit, investigate, and report cases of fraud, waste, or abuse to OMIG, and further mandate the scope of such audits to encompass clinical and billing records to ensure services were provided and billed appropriately. The proposed regulations also provide OMIG the ability to conduct an independent review of provider/MMCO compliance programs and impose monetary penalties or terminate provider participation in the Medicaid program based on the results of such review. Medicaid enrolled providers should expect enhanced scrutiny of claims as a result of this requirement.

The proposed Subpart 521-3 would codify subsection 7 of Section 363-d of New York’s Social Services Law, which became effective on April 1, 2020. The proposed regulations governing Medicaid program overpayments would mandate that all identified overpayments must be returned exclusively through the self-disclosure process.

If the proposed regulations are adopted, the rules will require providers and plans to review and update their compliance program documents as well as their service agreements to ensure these new requirements are addressed.  For further information, contact Robert Braumuller at RBraumuller@bpslaw.com (914) 287-6185 or Zaina S. Khoury at ZKhoury@bpslaw.com (914) 287-6187.

Employers Should Evaluate Self-Insured Health Plans for Employees in States Banning Abortions After Supreme Court’s Decision in Dobbs v. Jackson Women’s Health Organization

Background

On June 24, 2022, Dobbs v. Jackson Women’s Health Organization, No. 19-1392, 597 U.S. ___ (2022) was decided by the United States Supreme Court upholding the Mississippi law banning abortions after 15 weeks of gestation. The decision was sweeping, overturning Planned Parenthood of Southeastern Pa. v. Casey, 505 U.S. 833 and Roe v. Wade, 410 U.S. 113, to hold that the United States Constitution does not prohibit State legislatures from banning or limiting abortion services.

Self-Insured (ERISA) Health Plans Versus Fully Insured Health Plans

Large employers that offer self-funded health plans are largely unaffected by the Dobbs decision. State law cannot impact these plans because they are governed by Employee Retirement Income Security Act of 1974 (ERISA), which pre-empts states from adopting requirements that “relate to” employer-sponsored health plans. Courts have for decades interpreted that language to bar state laws that dictate what health plans can and cannot cover.

If, however, your health plan is a fully or partially insured group health plan (“Non-ERISA plan”), it is governed by state insurance regulation. Non-ERISA plans offered in pro-life states may soon be prohibited from covering some abortion services as their states pass legislation, or their previously passed “trigger laws” go into effect, to restrict or prohibit abortion after the Dobbs Decision.

Any Medicaid or even marketplace products with federal funding already ban abortion services under the Hyde Amendment unless they are in certain pro-choice states that have decided to use state funds to cover the services. The New York State Medicaid program, for instance, covers abortion services. It lists on its website entities that assist women in other states banning abortion with travel, housing, and other costs.

Healthcare providers in states like New York may be reimbursed by the ERISA plan or potentially by the state Medicaid program if eligible patients are enrolled upon entry into the state. Patients who are not eligible and have non-ERISA health benefits, may need to self-fund the medical services, or look for other resources, including their employers to cover abortion services.

Employers in states that have banned abortion and offer non-ERISA plans may be motivated by their leadership, their Boards, and their employees to assist employees with abortion services. They may begin by considering if they want to adopt a self-funded ERISA Plan so that they have control over the benefits protected from restrictive state laws.

Travel Reimbursement

ERISA Plans often already fund medical travel for various services and typically encourage travel to facilities designated as “centers of excellence”. Consequently, expanding covered travel to include travel expenses for medical services related to abortion services should be protected by ERISA from any state law restrictions. If a state sued an employer that sponsored a health plan offering coverage for abortion services out of state on the basis of the state’s restrictions on abortion services, the employer could rely on ERISA’s pre-emption terms as a defense to the law suit. If travel expenses are not part of the employer’s ERISA group health plan, it may offer other types of reimbursement plans like flexible spending accounts (FSAs) that may be used, assuming the IRS permits the expansion of travel for abortion services as a qualified expense, federal reimbursement programs preempt state law.

However, employers that offer non-ERISA plans and seek to fund coverage for their employees to travel out of state for abortion services could not do so under their health plan if their states impose abortion restrictions. Employers located in states that have passed “trigger laws” (restrictive laws that automatically go into effect in the event Roe v. Wade is overturned) and wish to offer coverage for abortion services, should retain competent legal counsel to review their state laws to determine if there is criminal or civil liability for aiding and abetting the evasion of the laws.

Another potential risk that such employers may face is enforcement initiatives seeking to use laws that prohibit crossing state lines for unlawful purposes, such as the Mann Act. The Mann Act from 1910 makes it a felony to engage in interstate commerce by crossing state lines “for the purpose of prostitution or for any other immoral purpose”. Although unlikely that the current administration would use the Mann Act to prohibit funding state travel to circumvent home state prohibitions on abortion services, future administrations may seek to do so.

Also, some states, such as Missouri, are considering the adoption of state laws that would allow private citizens to sue persons who help a Missouri state resident obtain an abortion by assisting in the travel to an out of state physician for that purpose. This could mean a lawsuit against the employer that assists the employee. As stated, ERISA may be a defense if the travel is under the ERISA Plan or related federal reimbursement plans.

Out of State Providers

ERISA Plans typically use large national networks of providers through their third-party administrators making it likely that network providers will be located in states permitting abortion services. Accordingly, if the Plan is restrictive regarding its use of out of network providers, the plan sponsor may want to consider expanding the use of out-of-network providers for certain services such as abortion-related services or defining the out-of-network emergency exception to include use of providers for abortion related services in exigent circumstances.

Telemedicine

Most abortions today are provided using medication abortion, which can and has been delivered through telehealth. The procedure involves the use of certain medications after a pregnancy is established. These drugs are different from Plan B, morning after pills, which are used soon after the act of intercourse but before a pregnancy is established.

Certain pro-life states (19 to date) require that these services only be provided in the medical office of a health care provider who is licensed in those states, making it impossible to use telehealth within these 19 states for abortions. It is uncertain if the telemedicine modality is available to individuals living in pro-life states using out-of-state providers in pro-choice states without those health care providers running afoul of many laws and regulations including practicing medicine without a state license. Providers in that situation put their medical license at risk for violating the state law where the patient sought the telemedicine services or could become liable for criminal or civil penalties for violating such state laws. As a result, this method of providing pregnancy termination services could be at risk for individuals located in pro-life states, making travel a better option even if just to obtain the medication abortion. It is possible that the federal government through CMS or the FDA may find a way to provide access to telemedicine for medication abortion or simply find another way to provide these medications.