Dear Health Law Section Members:

The Health Law Section (“HLS”) website has been updated with articles on significant developments in health law that may be of interest to you in your practice.

These summaries are presented to HLS members for general information only and do not constitute legal advice from The Florida Bar or its Health Law Section. HLS thanks these volunteers who have generously donated their time to prepare these summaries for our members.

The contributing authors for the March 2025 issue are:

  • George B. Breen, Esq., Epstein Becker & Green, P.C.
  • Jordan T. Cohen, Esq., Akerman LLP
  • Jenna Dees, Esq., Epstein Becker & Green, P.C.
  • Mary A. Edenfield, , Dinsmore & Shohl LLP
  • Shannon B. Hartsfield, Esq., Holland & Knight LLP
  • John C. Hood, Esq., Akerman LLP
  • Clay Lee, Esq., Epstein Becker & Green, P.C.
  • Daniella R. Lee, Esq., Epstein Becker & Green, P.C.
  • Abhishek Ramaswami, Esq., Cadogan Law
  • Kathy J. Tayon, Esq., Tayon Law P.A.

Best,

Elizabeth Scarola, Esq., Epstein Becker & Green, P.C., HLS Update Co-Editor-in-Chief
John C. Hood, Esq., Akerman LLP, HLS Update Co-Editor-in-Chief
Daniella R. Lee, Esq., Epstein Becker & Green, P.C., HLS Update Editor
Castillana F. Duvernay, Esq., The Health Law Firm, HLS Update Editor
Adriana Baez, MD/JD candidate, University of Miami, HLS Law Student Member

Full Updates with footnotes are linked at the bottom of this page. 

 

FEDERAL CASE LAW

Massachusetts District Court Applies “But-For Causation” Standard, Dismisses AKS-Based FCA Case After Evaluating Facts and Circumstances of Independent Contractor Arrangements
On January 6, 2025, the U.S. District Court for the District of Massachusetts granted a defendant laboratory’s motion for summary judgment in a False Claims Act (FCA)/Anti-Kickback Statute (AKS) case brought by a physician objecting to the lab’s testing practices and its use of independent contractors paid on commission.
Judge Patti B. Saris held that plaintiffs in FCA cases must establish that “but for” the payment of illegal remuneration in violation of the AKS, the claim would not have been submitted. Applying the “but-for” standard, Judge Saris dismissed OMNI Healthcare Inc. v. MD Spine Solutions LLC, et al. because the record did not support that the independent contractor status of some of the lab’s sales representatives or their conduct unduly influenced any provider’s decision to purchase the product.

Adoption of “But-For” Causation in FCA Cases
There is a circuit split regarding whether FCA plaintiffs must prove that “but-for” the AKS violation, a claim would not have been submitted. Requiring “but-for” causation poses a significantly greater burden for plaintiffs seeking to advance FCA claims because they must show the kickback actually affected what good, item, or service was provided.
In the U.S. Courts of Appeals for the Sixth and Eighth Circuits, the heightened “but-for” causation must be established. The Third Circuit has adopted a less rigorous standard, requiring only a showing that at least one of the claims sought reimbursement for medical care that was provided in violation of the AKS. Plaintiffs in circuits with no clear precedent often argue for the application of the more plaintiff-friendly standards of the Third Circuit and use that ambiguity as leverage in negotiating settlement agreements.
The First Circuit, which includes Massachusetts—an epicenter of FCA lawsuits—has yet to clearly decide which standard should apply in FCA cases; however, Judge Saris made clear that she did not read the First Circuit’s decision in Guilfoile v. Shields to have issued a binding holding adopting the Third Circuit’s standard. Clarity on what causation will apply in the First Circuit may come with the much-anticipated release of the court’s decision in a case argued last summer that teed up the causation issue. The importance of Judge Saris’s decision is underscored by the fact that just days after she issued her decision, litigants in the First Circuit matter filed a notice of supplemental authority citing to the decision as support for adopting “but-for” causation as the applicable standard in AKS-based FCA cases.

Judicial Review of Independent Contractor Arrangements Based on Facts and Circumstances
Plaintiffs in FCA cases frequently argue that commission-based payments to independent contractors run afoul of the AKS. That said, in OMNI Healthcare, the government acknowledged “that paying independent contractors commission-based fees is not per se unlawful.” While commission-based payments to independent contractors may raise the specter of an AKS violation, Judge Saris determined, on the facts of this case, that no reasonable jury could conclude that the submission of claims for the lab testing at issue resulted from the defendants’ commission-based payments to independent contractors. She noted that the purpose of engaging sales representatives, whether independent contractors or employees, is to influence referrals, and that alone does not violate the AKS.
Judge Saris found the determinative questions to be: (1) whether the independent contractor status of sales representatives unduly or improperly influenced any provider’s decision to purchase the product, and (2) whether any independent contractor engaged in conduct that unduly or improperly influenced any provider’s decision to purchase the product. Because the record did not support a reasonable finding that the independent contractors’ status or conduct unduly or improperly influenced providers’ decisions to purchase the product, Judge Saris entered judgment for the defendants. This approach aligns with the Fifth Circuit’s approach in the 2024 case of United States v. Marchetti, which directed the focus of AKS inquiries to whether there was undue or improper influence on a relevant decision maker.

Takeaways
As noted generally in compliance guidance issued by the U.S. Department of Health and Human Services’ Office of Inspector General (OIG) and aimed at many segments of the health care industry, from drug manufacturers to new physicians, many common business activities, including sales and marketing, may implicate the federal AKS. Businesses operating in this industry should carefully review their marketing practices and relationships with physicians and others in a position to influence referrals. OIG guidance suggests that “whenever possible prudent manufacturers and their agents or representatives should structure relationships with physicians to fit in an available safe harbor,” such as those for personal services and management contracts or employees. Those that do not fit squarely into such a safe harbor should be reviewed in the totality of the facts and circumstances, examining the nature of the relationship, the manner in which the remuneration is determined, the value of the remuneration, the potential impact on federal programs, and potential conflicts of interest.
Although application of the “but-for” causation standard in AKS-based FCA cases is beneficial to health care institutions, it has not been universally adopted, and it does not eliminate the need for a “facts and circumstances” analysis. According to OIG guidance on the subject of how companies should engage with independent contractor sales reps, the analysis could include examining factors such as the amount of the compensation, the influence capabilities of the sales agent, the nature of the marketing or promotional activity, the item or service being promoted or marketed, and the target audience.
Submitted and authored by George B. Breen, Esq., Clay Lee, Esq., Daniella R. Lee, Esq., Epstein Becker & Green, P.C.
Epstein Becker Green Attorney Ann W. Parks contributed to the preparation of this post.
Republished with permission from: https://www.healthlawadvisor.com/massachusetts-district-court-applies-but-for-causation-standard-dismisses-aks-based-fca-case-after-evaluating-facts-and-circumstances-of-independent-contractor-arrangements

 

ADMINISTRATIVE AGENCIES AND FEDERAL REGULATIONS

Group Practice’s Single Legal Entity Requirement and Providing Services Through a Wholly Owned Subsidiary
Under the federal physician self-referral Law (commonly referred to as the Stark law), a physician practice of two (2) or more physicians must organize as a single legal entity to meet one of the elements of the definition a “group practice.” Being a “group practice” is necessary for such a physician practice to satisfy the in-office ancillary services exception7 to the physician self-referral law’s prohibition against certain referrals.
If a physician practice satisfies the in-office ancillary services exception at 42 U.S.C. § 1395nn(b)(2), which requires, among other things, the physician practice to be a “group practice” as defined in 42 U.S.C. § 1395nn(h)(4) and 42 C.F.R. § 411.352, then a physician with a financial relationship with that physician practice may refer patients for designated health services provided within the physician practice for which payment may be made by Medicare (or other programs where federal funds provide reimbursement, like CHAMPUS or Medicaid) without violating the prohibitions under 42 U.S.C. § 1395nn(a).
Unless an exception applies, if a physician has a “financial relationship” with a physician practice that provides “designated health service” for which payment may be made by Medicare (or other programs where federal funds provide reimbursement, like CHAMPUS or Medicaid), then the physician self-referral law prohibits:

  • the physician from making a referral to the physician practice for the furnishing of designated health services; and
  • the physician practice from presenting a claim or bill to any individual, third-party payor, or other entity for designated health services.

A “financial relationship” means the physician has an ownership or investment interest in the physician practice and/or the physician has a compensation arrangement with the physician practice. “Designated health services” include, but are not limited to, clinical laboratory tests, x-rays, MRIs, and physical therapy.
Under the in-office ancillary services exception, certain services performed or supervised by a physician who is a member of the same group practice as the referring physician are exempt from the prohibitions set forth in 42 U.S.C. § 1395nn(a)(1).
The definition of “group practice” under 42 U.S.C. § 1395nn(h)(4) contemplates a group of physicians that are “legally organized as a partnership, professional corporation, foundation, not-for-profit corporation, faculty practice plan, or similar association.” This language is often referred to as the single legal entity requirement.
This article discusses whether the single legal entity requirement in the definition of group practice as defined in 42 U.S.C. § 1395nn(h)(4) and 42 C.F.R. § 411.352 can be satisfied if a wholly owned subsidiary of a physician practice parent company provides services to the patients of the parent company.
The Centers for Medicare & Medicaid Services (“CMS”), in a 2021 Advisory Opinion No. 2021-01, said yes, a physician practice that meets the definition of group practice may have a wholly owned subsidiary that provides services to the patients of the parent company without destroying compliance with the definition of the group practice.

CMS Advisory Opinion No. 2021-01 (Favorable)
Issue. CMS Advisory Opinion No. 2021-01 (Favorable), (the “Opinion”), considers whether a physician practice would fail to qualify as a “group practice” for purposes of 42 U.S.C. § 1395nn(h)(4) and 42 C.F.R. § 411.352 if it furnishes designated health services through a wholly-owned subsidiary entity that is a physician practice but does not itself qualify as a group practice.
Opinion (favorable). CMS issues a favorable opinion and concludes “that furnishing designated health services through a wholly owned subsidiary entity that is a physician practice but does not itself qualify as a group practice under 42 C.F.R. § 411.352 would not preclude Requestor’s compliance with the requirement at 42 C.F.R. § 411.352(a) that a group practice is a single legal entity.

Facts.
In the Opinion, the “Owner” owns a professional limited liability company that is a group practice, and this group practice is the “Requestor” in the Opinion. Additionally, the Owner owns a physician practice (“Subsidiary A”) in one State and another physician practice in another State (“Subsidiary B”). Requestor proposes a transaction where Requestor would acquire and own 100% of Subsidiary A and Subsidiary B.
Requestor certified that, following its acquisition of the Subsidiaries, all clinical employees and contractors of the Subsidiaries would become employed or contracted by Requestor. Such personnel would be designated to work at either the Group Practice State office site, the State A office site, or the State B office site. Although Subsidiary A and Subsidiary B would maintain their respective enrollments in Medicare, remain credentialed, and contract directly with payors and health plans—and use billing numbers assigned to the Subsidiaries to bill Medicare and other payors and health plans for services furnished to their beneficiaries and enrollees—all revenues and expenses of the Subsidiaries would be treated as revenues and expenses of Group Practice.

Reasoning.
In the Opinion, CMS discusses:

  • an August 1995 final rule (the “1995 Final Rule”), where CMS addresses qualification as a group practice in the context of a professional corporation that owns subsidiaries for the provision of equipment, billing services, or ancillary services, and
  • a 2001 final rule with comment period (“Phase I”), where CMS responds to a similar inquiry requesting clarification on whether a group practice could own subsidiaries that, for example, own real estate or equipment, provide billing services, or operate ancillary services.

In the Opinion, CMS notes that in the 1995 Final Rule and Phase I, CMS states its belief that the group practice definition and in office ancillary services exception of the physician self-referral law at 42 U.S.C. § 1395nn do not preclude a single group practice from owning other legal entities for the purposes of providing services to the group practice.
Accordingly, CMS concludes in the Opinion that, based on the facts certified by Requestor, the regulation at 42 C.F.R. § 411.352(a) and the related interpretation of the physician self-referral law in the 1995 Final Rule and Phase I do not preclude Requestor from qualifying as a single legal entity if Requestor furnishes designated health services through the Subsidiaries, provided that Requestor is the sole owner of the Subsidiaries.
CMS also notes that, “as wholly-owned subsidiaries of Requestor—which is an operating physician practice—neither of the Subsidiaries would qualify as a group practice for purposes of the physician self-referral law.”

Conclusion
While the CMS Opinion is dated 2021, this promulgation should be considered if analyzing a proposal that a wholly owned subsidiary of a physician practice parent company provides services to the patients of the parent company.
This Opinion focuses on the single legal entity requirement in the definition of group practice.
Remember that in addition to the single legal entity requirement, there are other requirements to satisfy the definition of group practice in 42 U.S.C. § 1395nn(h)(4) and 42 C.F.R. § 411.352 and the in-office ancillary services exception at 42 U.S.C. § 1395nn(b)(2), in order to rely on the in-office ancillary services exception at 42 U.S.C. § 1395nn(b)(2).
Submitted and authored by Kathy J. Tayon, Esq., Board Certified in Health Law by The Florida Bar, Tayon Law P.A.

Post-Hurricane Flexibilities Offered by CMS

As our local community continues to recover from the aftermath of Hurricanes Helene and Milton, health care lawyers should be aware of, and consider the extent upon which their clients can rely upon, the flexibilities that the Centers for Medicare & Medicaid Services (CMS) extended to assist with the Public Health Emergencies (PHEs) in Florida. As a result of Hurricanes Helene and Milton, CMS extended additional resources to Medicare providers and certain health care facilities in Florida.
As background, during a PHE, the Secretary of the U.S. Department of Health and Human Services (HHS) may temporarily waive certain HIPAA Privacy Rule requirements for hospitals.
During the recent PHE, CMS issued HIPAA-related waivers lasting up to seventy-two (72) hours to Florida hospitals that had activated their disaster protocol, including waivers for: the distribution of HIPAA privacy notices; patient rights to request privacy restrictions and confidential communications; communications with family or friends involved in care; and opting out of facility directories. Health Information Privacy PHE responses can be found here.
CMS provided additional waivers for Florida health care providers, such as medical staff flexibility in an effort to address workforce shortages and reduce the burden of the credentialing and privileging processes. Examples of other CMS Waivers issued for Florida hospitals and health care facilities include:

  • EMTALA Flexibility: to permit offsite patient screening outside the hospital’s campus;
  • Surge Capacity and Space Use: to permit the repurposing of non-patient areas for patient care, as long as the state approves and safety is ensured;
  • Telemedicine: to permit the provision of telemedicine services to patients through agreements with offsite hospitals to expand access to care; and
  • Temporary Expansion Locations: to permit the establishment of additional care locations that meet the required conditions, including existing provider-based departments, to expand capacity during emergencies.

These flexibilities will remain in place until the PHE has been rescinded. Additional information regarding waivers for each state and current emergency waivers can be found here.
The CMS waivers are aimed at increasing flexibility and capacity in response to healthcare system demands. Hurricanes Helene and Milton were a stark reminder of CMS requirements (including Conditions of Participation) for disaster planning to appropriately prepare for and respond to such events. As Florida attorneys, it is essential that our professional community is proactive about advising Florida health care entities on preparedness plans and flexibilities to navigate emergencies in furtherance of the goal of continuity of care during natural disasters.
Submitted and authored by Jenna Dees, Esq., Epstein Becker & Green, P.C.
Republished with permission from: https://www.healthlawadvisor.com/post-hurricane-flexibilities-offered-by-the-u-s-department-of-health-and-human-services-through-the-centers-for-medicare-medicaid-services

A ‘Virtual Present’ Leftover from the Holidays: CMS’s CY 2025 Medicare PFS Final Rule Extends Virtual Supervision Flexibilities

Telehealth providers whose holiday wish lists included permanent extensions to the statutory Medicare telehealth flexibilities implemented during the Public Health Emergency for COVID-19 (PHE) were likely disappointed by the American Relief Act, 2025, which merely extended most of those statutory flexibilities through March 31, 2025. However, in the Calendar Year 2025 Medicare Physician Fee Schedule Final Rule (Final Rule), which took effect at the beginning of this year, the Centers for Medicare and Medicaid Services (CMS) included some “stocking stuffers” extending certain regulatory Medicare telehealth flexibilities. Among the telehealth flexibilities included in the Final Rule are two important changes with respect to the virtual supervision of diagnostic tests, incident-to services, and pulmonary and cardiac rehabilitation services. First, it extends through December 31, 2025, the flexibility implemented during the PHE that allows the “direct supervision” required for many diagnostic tests, most incident-to services, and certain pulmonary and cardiac rehabilitation services to be performed remotely via virtual presence through audio/video real-time communications technology. Second, it permanently allows direct supervision via virtual presence for certain low-risk incident-to services performed by auxiliary personnel beginning in January 2026.

A Refresher on Supervision
To be payable under Medicare Part B, services provided incident-to a physician or other practitioner’s service, certain diagnostic tests, and all pulmonary and cardiac rehabilitation services must be furnished under specific levels of supervision by a physician or other practitioner. See 42 C.F.R. § 410.26 (professional services); 42 C.F.R. § 410.32 (diagnostic tests); 42 C.F.R. § 410.47 (pulmonary rehabilitation); 42 C.F.R. § 410.49 (cardiac rehabilitation). CMS’s regulations at 42 C.F.R. § 410.32(b)(3) define three levels of supervision: “general supervision,” “direct supervision,” and “personal supervision.” “General supervision” is the lowest level of supervision and means that the procedure is furnished under the physician’s overall direction and control but does not require the physician’s physical presence. Therefore, general supervision can be performed remotely by the supervising physician or other practitioner. In contrast, “personal supervision,” the highest level of supervision, requires a physician to be in attendance in the room during the performance of the procedure.

Flexibilities During the PHE
The PHE flexibility concerned “direct supervision,” an intermediate level of supervision that is more involved than general supervision, but less so than personal supervision. Ordinarily, direct supervision requires the supervising physician or other practitioner to be physically present in the office suite and “immediately available” to furnish assistance and direction throughout the performance of the procedure. However, during the PHE, CMS temporarily amended the definition of “direct supervision” such that the presence of the physician or other practitioner could be satisfied via “virtual presence” through audio/video real-time communications technology (but not audio-only communication technology). In other words, under this PHE flexibility, the direct supervision requirement could be met by a remote supervising physician or other practitioner who is immediately available to engage with the personnel via audio/video real-time communications technology. This flexibility has applied to diagnostic tests, incident-to services, pulmonary rehabilitation services, and cardiac and intensive cardiac rehabilitation services. CMS had previously extended this flexibility through December 31, 2024.

Blanket Extension of Remote Supervision Flexibility Until 2026
In light of CMS’s concerns that an abrupt transition back to the pre-PHE direct supervision policy could present a barrier to access to many services, the Final Rule temporarily extends this flexibility for all services furnished in physician offices that require direct supervision through December 31, 2025. That is, through December 31, 2025, the definition of “direct supervision” will continue to permit the presence and immediate availability of the supervising practitioner through real-time audio-video communications technology. Similarly, the Calendar Year 2025 Medicare Outpatient Prospective Payment System (OPPS) Final Rule temporarily extends a parallel flexibility for cardiac rehabilitation, intensive cardiac rehabilitation, pulmonary rehabilitation, and diagnostic services furnished in hospital outpatient settings to allow such virtual direct supervision through December 31, 2025.

Narrower Permanent Flexibility Begins in 2026
In its commentary to the Final Rule, CMS acknowledges that remote direct supervision via virtual presence has been widely adopted and may enhance Medicare beneficiaries’ access to care. While CMS left open the possibility of making the flexibility permanent for all services that require direct supervision, the agency is not ready to do so. Instead, CMS is permanently extending the flexibility for a narrower set of services that are typically performed in their entirety by “auxiliary personnel” and present less of a patient safety concern. “Auxiliary personnel” are defined to include individuals that: (i) act under the supervision of a physician (or other practitioner), (ii) are eligible to provide services to Medicare beneficiaries, and (iii) satisfy applicable requirements under state law to provide incident-to services, including holding appropriate licensure. Such personnel typically include physician assistants and other non-physician support staff.
Beginning January 1, 2026, the presence of the physician (or other practitioner) required for direct supervision may, permanently, include virtual presence via audio/video real-time communications technology for the following incident-to services:

  1. Services furnished incident-to the services of a physician or other practitioner when provided by auxiliary personnel employed by the billing practitioner and working under their direct supervision and for which the underlying HCPCS code has been assigned a PC/TC indicator of ‘5’; and
  2. Office or other outpatient visits for the evaluation and management of an established patient that may not require the presence of a physician or other qualified health care practitioner (i.e., services described by CPT code 99211).

For all other services requiring direct supervision, supervising physicians and other practitioners should be ready to transition back to being physically “present in the office suite” by January 1, 2026, unless CMS further extends the current flexibilities in future rulemaking.

Other Considerations
Importantly, CMS cautions in the Final Rule that, for services on the Medicare Telehealth List that are available to beneficiaries in their homes, but also require direct supervision, the physician or other supervising practitioner must be available using both audio and video. However, according to CMS, that does not necessarily mean that any interaction between the patient and the supervising practitioner would require a video component. For instance, the Medicare Telehealth List includes CPT code 99211, which describes an office or other outpatient visit for the evaluation and management of an established patient that may not require the presence of a physician or other qualifying practitioner. This service could be furnished via a telehealth encounter to Medicare beneficiaries in their home by auxiliary personnel acting incident-to the service of a physician or other qualifying practitioner. Another flexibility the Final Rule makes permanent would allow the interaction with the patient to be conducted using interactive audio-only telecommunications if: (i) the physician or practitioner furnishing the service is technically capable of using an interactive telecommunications system that includes audio and video equipment, and (ii) the patient is incapable of, or does not consent to, the use of video technology. However, to provide remote direct supervision for such an incident-to service furnished via telehealth, the supervising practitioner must be available to the auxiliary personnel by both audio and video communications technology to furnish assistance and direction throughout the performance of the procedure. Thus, if the audio-only flexibility applies, interaction between the patient and the supervising practitioner would not require a video component, but the supervising practitioner must still be available to the supervised personnel via both audio and video to satisfy the direct supervision requirement.
It is also critical that physicians, advanced practice providers (APPs), and other entities implementing direct supervision via virtual presence understand the connection between federal supervision requirements and state law. Generally, Medicare Part B will only pay for diagnostic tests supervised by nurse practitioners, clinical nurse specialists, physician assistants, certified registered nurse anesthetists, or certified nurse-midwifes, to the extent such practitioners are authorized to supervise such diagnostic tests under their scope of practice and applicable state law. Additionally, Medicare Part B allows diagnostic tests that would otherwise require a personal level of supervision to be performed under direct supervision by certified registered radiologist assistants and radiology practitioner assistants, but only to the extent permitted by state law and state scope of practice regulations. Similarly, incident-to services are only payable by Medicare Part B if they are furnished in accordance with applicable state law by auxiliary personnel who meet any applicable state law requirements to provide such services. And, as mentioned above, Medicare Part B only allows incident-to services to be supervised by an APP to the extent permitted by the applicable state law.
There is significant variability among the states with respect to the types of personnel who may perform or supervise a given diagnostic test, incident-to service, or rehabilitation service. Therefore, Medicare Part B suppliers, such as physician group practices and Independent Diagnostic Testing Facilities, implementing virtual supervision of diagnostic tests, incident-to services, and pulmonary and cardiac rehabilitation services should consult legal counsel to ensure that their operations comply with both state and federal law, as well as guidance from their local Medicare Administrative Contractors, which can vary throughout the country.
Submitted and authored by Jordan T. Cohen, Esq., and John C. Hood, Esq., Akerman LLP

Insights from the Proposed HIPAA Security Rule Changes

Just before the presidential transition, on January 6, 2025, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued proposed rules that would make sweeping changes to HIPAA’s data security requirements. The HIPAA Security Rule is more than 20 years old and has not been substantially updated for more than a decade. Even if the new proposed rules are not finalized in their current form, they provide insight into how regulators, at least under the prior administration, viewed the Security Rule.
In the preamble to the proposed regulations, OCR noted that, since the Security Rule was first finalized, there have been significant changes to the cybersecurity threats facing the healthcare sector. Electronic “tools and technologies are an integral part of the modern health care system, but they also present opportunities for bad actors to cause harm through hacking, ransomware, and other means.” The proposed rules are designed to address these threats. Although there are many proposed changes, HHS takes the position that the existing Security Rule obligations for regulated entities “would not be substantially changed” but would merely be codifying what regulated entities should already be doing to comply with existing rules and would not pose special challenges.
If finalized in their current form, however, the rules do seem to impose significant additional specificity. For example, regulated entities would have to create a written inventory and network map of information systems and technology assets. The proposed rules would also impose specific requirements for the risk analysis and risk management plan. These maps and risk analyses would have to be revisited at least every 12 months. Business associate relationships would require additional oversight. In addition to business associate agreements, regulated entities would have to obtain written verification from their business associates at least once every 12 months that those business associates have deployed required technical safeguards. These are just a small portion of the changes that the proposed rules could bring.
Cybersecurity threats can lead not only to data breaches, but also to interruptions in healthcare services and other patient harm. While compliance with the additional security measures in the proposed rules would likely involve significant investment by regulated entities, they could facilitate important improvements to data security.
Submitted and authored by Shannon B. Hartsfield, Partner, Holland & Knight LLP, Board Certified in Health Law by The Florida Bar

 

HLS Monthly Updates 2025 – March