Surprise! The No Surprises Act Changes Again

The No Surprises Act (Act), which became effective Jan. 1, 2022, is the latest health care law passed with the best of intent: to create consumer protection from unexpected out-of-network medical bills and to create a federal independent dispute resolution (IDR) process to resolve payment disputes between payers and out-of-network providers. Unfortunately, the Act, especially the U.S. Department of Health and Human Services’ (HHS) implementation of the IDR process, also creates a new administrative burden for health care providers. Providers and medical associations filed lawsuits in multiple jurisdictions to challenge HHS’ implementation of the IDR process and the constitutionality of the Act before it was even in effect.

On Feb. 24, 2022, the United States District Court for the Eastern District of Texas granted the Texas Medical Association’s Motion for Summary Judgement to vacate select IDR requirements. The Court found that HHS’ interim final rule’s IDR process, intended to resolve payment disputes regarding reimbursement for out-of-network emergency services and out-of-network services provided at in-network facilities, was contrary to the clear language of the Act[1] (Rule).

In general, the Act[2] requires health insurance payers (Insurers) to reimburse providers for certain out-of-network services at a statutorily calculated “out-of-network rate.”[3] Where an All-Payer Model Agreement or specified state law does not exist, to set such a rate, an Insurer must issue an initial out-of-network rate decision and pay such amount to the providers within 30 days after the out-of-network claim is submitted.[4] If the provider disagrees with the Insurer’s proposed out-of-network reimbursement rate, the provider has a 30-day window to negotiate a different payment rate with the Insurer.[5] If these negotiations fail, the parties can proceed to the IDR process.[6]

Congress adopted a baseball-style arbitration model for the Act’s IDR process. The Insurer and provider each submit a proposed out-of-network rate with limited supporting evidence. The arbitrator picks one of the offers while taking into account specified considerations, including the “qualified payment amount,” the provider’s training, experience, quality, and outcomes measurements, the provider’s market share, the patient’s acuity, the provider’s teaching status, case mix, and scope of services, and the provider’s/Insurer’s good-faith attempts to enter into a network agreement.[7] The “qualifying payment amount” (QPA), is designed to represent the median rate the Insurer would pay for the item or service if it were provided by an in-network provider.[8]

The Rule requires the IDR arbitrator to select the proposed payment amount that is closest to the QPA unless “the certified IDR entity [arbitrator] determines that credible information submitted by either party … clearly demonstrates that the [QPA] is materially different[9] from the appropriate out-of-network rate.”[10] This is a clear departure from the analysis set forth in the Act.

The Texas Medical Association challenged the Rule under the Administrative Procedures Act (APA), arguing that the Departments exceeded their authority by giving “outsized weight” to one statutory factor over the others specified by Congress, and that the Departments failed to comply with the APA’s notice and comments requirements in promulgating the Rule. In turn, the Departments argued that the plaintiffs did not have standing to bring the claims.

After dispensing with defendant’s standing arguments, the Eastern District of Texas Court ruled in favor of the plaintiff’s Motion for Summary Judgment and determined that “the Act unambiguously establishes the framework for deciding payment disputes and concludes that the Rule conflicts with the statutory text.” Under the Act, the arbitrators (or certified IDR entities) “shall consider … the qualifying payment amounts” and the provider’s level of training, experience, and quality outcomes, the market share held by the provider, the patient’s acuity, the provider’s teaching status, case mix, and scope of services, and the demonstrated good faith efforts of both parties in entering into a network agreement.”[11] The Act did not specify that any one factor should be considered the “primary” or “most important” factor. The Rule, in contrast, requires arbitrators to “select the offer closest to the [QPA]” unless “credible” information, including information supporting the “additional factors,” “clearly demonstrates that the [QPA] is materially different from the appropriate out-of-network rate.”[12] The Departments characterized the other factors as “permissible additional factors” that may be considered only when appropriate.[13] The Court found that the Department’s Rule was inconsistent with the Act and that since Congress had spoken clearly on the factors to be considered in the arbitration process, the Department’s interpretation of the Act was not appropriate and had exceeded the Department’s authority.[14]

Following the Court’s decision, the Departments issued a memorandum on Feb. 28, 2022, clarifying the Act’s requirements for providers and Insurers. The memo specifically noted that the Court’s decision would not, in their opinion, affect the patient-provider dispute resolution process.[15] The Departments also stated they would withdraw any guidance inconsistent with the Court’s Opinion, provide additional training for interested parties, and keep the IDR process portal open to resolve disputes. The Departments also will be considering further rulemaking to address the IDR process.

The No Surprises Act continues to surprise us all with more adaptations. Enforcement of this new law remains uncertain in light of the numerous legal challenges, including at least one constitutionality challenge.


[1] Requirements Related to Surprise Billing: Part II, 86 Fed. Reg. 55,980 (Oct. 7, 2021).

[2] Consolidated Appropriations Act of 2021, Pub. L. No. 116-260, div. BB, tit. I, 134 Stat. 1182, 2758-2890 (2020).

[3] 300gg-111(a)(1)(C)(iv)(II) and (b)(1)(D).

[4] 300gg-111(a)(1)(C)(iv) and (b)(1)(C).

[5] 300gg-111(c)(1)(A).

[6] 300gg-111(c)(1)(B).

[7] 300gg-111(c)(5).

[8] 300gg-111(a)(3)(E)(i)(I)-(II).

[9] “Material difference” is defined as “a substantial likelihood that a reasonable person with the training and qualifications of a certified IDR entity making a payment determination would consider the submitted information significant in determining the out-of-network rate and would view the information as showing that the [QPA] is not the appropriate out-of-network rate. 149.510(a)(2)(viii).

[10] 45 C.F.R. 149.510(c)(4)(ii).

[11] 300gg-111(c)(5)(C)(i)-(ii).

[12] 45 C.F.R. 149.510(c)(4)(ii)(A).

[13] 86 Fed. Reg. 56,080.

[14] Because the Departments had exceeded their statutory authority, no Chevron deference was owed to their regulations. Chevron U.S.A. v. Natural Resources Defense Council, Inc., 468 U.S. 837 (1984).

[15] This is a separate dispute resolution process designed to address disputes between patients and providers when bills for uninsured and self-pay patients are inconsistent with the good faith estimate provided by the health care provider.

© 2022 Dinsmore & Shohl LLP. All rights reserved.

OIG: Telehealth “Critical” to Maintaining Access to Care Amidst COVID-19

The federal Office of Inspector General (OIG) recently published a report (OIG Report) as part of a series of analyses of the expansion and utilization of telehealth in response to the COVID-19 public health emergency.  In its report, the OIG concludes that telehealth was “critical for providing services to Medicare beneficiaries during the first year of the pandemic” and that the utilization of telehealth “demonstrates the long-term potential of telehealth to increase access to health care for beneficiaries.” The OIG’s conclusions are notable because they come at a time when policymakers and health care stakeholders are determining whether and how to make permanent certain expansions of telehealth for patients nationwide.

The OIG Report is based on Medicare claims and encounter data from the “first” year of the pandemic (March 1, 2020 through February 28, 2021) as compared to data for the immediately preceding year (March 1, 2019 through February 29, 2020). Per the OIG Report, the OIG observed that approximately 43% of Medicare beneficiaries used telehealth during the first year of the pandemic, and that office visits were the most common telehealth encounter for those patients. The telehealth utilization data showed an 88-fold increase over the utilization of telehealth services for the prior year, which in part reflects the significant limitations on telehealth reimbursement under Medicare prior to COVID-19, in addition to the significant regulatory expansion of telehealth at the federal and state levels in response to COVID-19.

Interestingly, the OIG Report states that beneficiaries enrolled in a Medicare Advantage plan “were more likely to use telehealth” than Medicare fee-for-service beneficiaries, and that “CMS’s temporary policy changes enabled the monumental growth in the use of telehealth in multiple ways,” including by expanding the permissible patient locations, and the types of services that could be provided via telehealth. In addition, the OIG indicated that the use of telehealth for behavioral health services by beneficiaries “stands out” because of the higher incidence of beneficiaries accessing those services via telehealth, which may in turn influence policymaking and increase access to critical behavioral health care services.

Finally, the OIG Report notably includes a footnote which indicates that a separate report on “Program Integrity Risks” is forthcoming, which may shed light on corresponding compliance concerns that have arisen in connection with the significant expansion of telehealth in response to COVID-19.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

Congress Grants Five Month Extension for Telehealth Flexibilities

On Tuesday, March 16, 2022, President Biden signed into law H.R. 2471, the Consolidated Appropriations Act, 2022 (“2022 CAA”). This new law includes several provisions that extend the Medicare telehealth waivers and flexibilities, implemented as a result of COVID-19 to facilitate access to care, for an additional 151 days after the end of the Public Health Emergency (“PHE”). This equates to about a five-month period.

The 2022 CAA extension captures most of the core PHE telehealth flexibilities authorized as part of Medicare’s pandemic response, including the following:

  • Geographic Restrictions and Originating Sites: During the extension, Medicare beneficiaries can continue to receive telehealth services from anywhere in the country, including their home. Medicare is permitting telehealth services to be provided to patients at any site within the United States, not just qualifying zip codes or locations (e.g. physician offices/facilities).
  • Eligible Practitioners: Occupational therapists, physical therapists, speech-language pathologists, and qualified audiologists will continue to be able to furnish and receive payment for telehealth services as eligible distant site practitioners during the extension period.
  • Mental Health:  In-person requirements for certain mental health services will continue to be waived through the 151-day extension period.
  • Audio-Only Telehealth Services: Medicare will continue to provide coverage and payment for most telehealth services furnished using audio-only technology. This includes professional consultations, office visits, and office psychiatry services (identified as of July 1, 2000 by HCPCS Codes 99241-99275, 99201-99215, 90804-90809 and 90862) and any other services added to the telehealth list by the CMS Secretary for which CMS has not expressly required the use of real-time, interactive audio-visual equipment during the PHE.

Additionally, the 2022 CAA allocates $62,500,000 from the federal budget to be used for grants for telemedicine and distance learning services in rural areas. Such funds may be used to finance construction of facilities and systems providing telemedicine services and distance learning services in qualified “rural areas.”

Passage of the 2022 CAA is a substantial step in the right direction for stakeholders hoping to see permanent legislative change surrounding Medicare telehealth reimbursement.

U.S. Supreme Court Lifts Preliminary Injunctions on Healthcare Worker Vaccine Mandate

On January 13, 2022, the United States Supreme Court upheld the Centers for Medicare & Medicaid Services (“CMS”) Interim Final Rule (the “Rule”) in a 5-4 decision, staying the preliminary injunctions issued for 24 states by the District Courts for the Eastern District of Missouri and the Western District of Louisiana.  Therefore, the CMS vaccine mandate is in full effect for all states except Texas, which was not part of the cases before the Court.  The Rule requires nearly all workers at Medicare- and Medicaid-certified facilities—whether medical personnel, volunteers, janitorial staff, or even contractors who service the facilities—to be fully vaccinated against COVID-19 unless they qualify for a medical or religious exemption.

The Court based its holding on two main points.  First, the Court held that Congress clearly authorized CMS to put conditions on funding it provides to the Medicare and Medicaid certified facilities.  The Court opined that perhaps CMS’s “most basic” function is to ensure that regulated facilities protect the health and safety of their patients, noting that Medicare and Medicaid patients are often some of the most vulnerable to infection and death from COVID-19.  Because CMS determined that a vaccine mandate is necessary to protect patient health and safety, the Court held the mandate “fits neatly within the language of the [authorizing] statute.”  The Court acknowledged that CMS has never required vaccinations in the past, but attributed this in part to the fact that states typically already require necessary vaccinations like hepatitis B, influenza, and measles for healthcare workers.

Second, the Court held that the mandate is not arbitrary and capricious, and cautioned the district courts that their role is merely to make sure an agency acts within the “zone of reasonableness.”  The Court found the administrative record sufficient to explain CMS’s rationale for the mandate and also accepted that getting the vaccine mandate in place ahead of winter and flu season satisfied the “good cause” standard for skipping the notice and comment period.

Healthcare employers subject to the Rule should immediately start implementing vaccine requirements if they have not already.  It is anticipated that in all states but Texas, CMS will likely begin enforcement of the vaccine mandate in approximately 30 days.  On December 28, 2021, CMS released guidance to state surveyors with enforcement standards to use starting 30 days from the memo, though at the time the memo only applied to the 25 states that were not enjoined.  Healthcare employers should also keep in mind that this is not the end of the road: the Court’s holding only means that the CMS vaccine mandate is in force while the 5th and 8th Circuits complete their review of the underlying state challenges to the mandate.  While the Supreme Court’s opinion sends a strong message that lower courts should uphold the mandate, there is no guarantee they will do so.

The legal landscape continues to evolve quickly and there is a lack of clear-cut authority or bright line rules on implementation.  This article is not intended to be an unequivocal, one-size-fits-all guidance, but instead represents our interpretation of where applicable law currently and generally stands.  This article does not address the potential impacts of the numerous other local, state and federal orders that have been issued in response to the COVID-19 pandemic, including, without limitation, potential liability should an employee become ill, requirements regarding family leave, sick pay and other issues.

Article By Keeley A. McCarty and Ashley T. Hirano of Sheppard, Mullin, Richter & Hampton LLP

For more health law legal news, click here to visit the National Law Review.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.

Study Demonstrates Earlier Physician Retirement Overall and Increased Pay Equity Concerns for Female Doctors During the Pandemic

This month, Doximity issued its Fifth Annual 2021 Physician Compensation Report. With the continued strain of the pandemic spanning 2021, the self-reported physician data reflected widespread burnout and early retirement, especially by female physicians. With respect to physician compensation, Doximity findings demonstrated:

  • While average doctor pay increased 3.8 percent between 2020 and 2021, there was a decline of real income compared to 2020 given the CPI 6.2% rate of inflation in 2021.
  • The top five metro areas with the highest physician pay were Charlotte, NC; St. Louis, MO; Buffalo, NY; Jacksonville, Florida; and, Orlando, Florida.
  • The top five metro areas with the lowest physician pay were Baltimore, MD; Providence, RI; San Antonio, TX; Washington, D.C.; and Boston, MA.
  • A widening gender pay gap of 28.2% this year, with female physicians making $122,000 less than male physicians in 2021.
  • Based on 2014-2019 data, Doximity estimates that over the course of a career, female physicians will earn over $2 million less than male physicians.

Specialties with the largest pay equity gaps between men and women are oral & maxillofacial surgery; allergy and immunology; ENT; pediatric nephrology; and thoracic surgery. Significantly, there is no one medical specialty where women earned the same or more than men in 2021. All specialties had a pay gap over 10%, except Pediatric Rheumatology (which had a gap of 7.9%). To compound matters, a recent Jama Network Open research letter found that physician residents who were mothers – compared to physician residents who were fathers – were more likely to be responsible for childcare or schooling (24.6% v. .8%), household tasks (31.4% v. 7.2%), to work primarily from home (40.9% to 22%), and to reduce their work hours (19.4% to 9.4%). The study reflected the significant concern that these “short-term adjustments can have serious long-term repercussions as they may lead to lower earnings and negatively impact advancement.”

Doximity’s research also revealed that due to the pandemic, over 1% of physicians retired before expected, which is feared to strain an already tight labor market. The report also highlighted studies suggesting about half of doctors are considering an employment change due to the “COVID-related overwork.” The overwork also had a disproportionate impact on women physicians, with 25% of them reporting they are “considering early retirement” due to increased work during the pandemic.

This research reflects the importance of a physician/employer in any setting reflecting on the impact of the pandemic on its healthcare team. Moreover, the research shows continued pay equity deficits between female and male physicians, which may be exacerbated by the pandemic. Internal reflection on current pay practices to identify the factors contributing to it are critical to maintain top talent, improve morale amidst very difficult times and avoid wage and hour litigation.

Article By Dorothy Parson McDermott of Jackson Lewis P.C.

For more healthcare and health law legal news, click here to visit the National Law Review.

Jackson Lewis P.C. © 2021

The Shell Game Played with Your DNA, or 23 and Screwing Me

So you want to know how much Neanderthal is in your genes.

You are curious about the percentage of Serbo-Croatian, Hmong, Sephardim or Ashanti blood that runs through your veins. Or maybe you hope to find a rich great-aunt near death, seeking an heir.

How much is this worth to you?  Two hundred bucks? That makes sense.

But what about other costs:

– like sending your cousin to prison for life (and discovering that you grew up with a serial killer)?

– like all major companies refusing to insure you due to your genetic make-up?

— like ruining your family holidays when you find that your grandfather is not really genetically linked to you and grandma had been playing the field?

– like pharma companies making millions using your genetic code to create new drugs and not crediting you at all (not even with discounts on the drugs created by testing your cells)?

– like finding that your “de-identified” genetic code has been re-identified on the internet, exposing genetic propensity for alcoholism or birth defects that turn your fiancé’s parents against you?

How much are these costs worth to you?

According to former FDA commissioner Peter Pitts, writing in Forbes, “The [private DNA testing] industry’s rapid growth rests on a dangerous delusion that genetic data is kept private. Most people assume this sensitive information simply sits in a secure database, protected from hacks and misuse. Far from it. Genetic-testing companies cannot guarantee privacy. And many are actively selling user data to outside parties.” Including law enforcement.

Nothing in US Federal health law protects the privacy of DNA test subjects at “non-therapeutic” labs like Ancestry or 23andMe. Information gleaned from the DNA can be used for almost anything.  As Pitts said, “Imagine a political campaign exposing a rival’s elevated risk of Alzheimer’s. Or an employer refusing to hire someone because autism runs in her family. Imagine a world where people can have their genomic building blocks held against them. Such abuses represent a profound violation of privacy. That’s an inherent risk in current genetic-testing practices.”

Genetic testing companies quietly, and some would argue without adequate explanation of facts and harms which are lost in a thousand words of fine print that most data subjects won’t read, push their customers to allow genetic testing on the customer samples provided. Up to 80% of 23andMe customers consent to this activity, likely not knowing that the company plans to make money off the drugs developed from customer DNA. Federal laws require labs like those used by 23andMe for drug development to keep information for more than 10 years, so once they have it, despite rights to erasure provided by California and the EU, 23andMe can refuse to drop your data from its tests.

Go see the HBO movie starring Oprah Winfrey about medical exploitation of the cell lines of Henrietta Lacks, or better yet, read the bestselling book it was based on. Observe that an engaging, vivacious woman who couldn’t afford health insurance was farmed for a line of her cancer cells that assisted medical science for decades and made millions of dollars for pharma companies without any permission from or benefit to the woman whose cells were taken.  Or any benefit to her family once cancer killed her. Companies secured over 11,000 patents using her cell lines. This is the business model now adopted by 23andMe. Take your valuable data under the guise of providing information to you, but quietly turning that data into profitable products for their shareholders’ and executives’ benefit. Not to mention that 23andMe can change its policies at any time.

As part of selling your genetic secrets to the highest bidder, 23andMe is constantly pushing surveys out to its customers. According to an article in Wired, 23andMe Founder Ann Wojcicki said, “We specialize in capturing phenotypic data on people longitudinally—on average 300 data points on each customer. That’s the most valuable by far.” Which means they are selling not only your DNA information, but all the other data you give them about your family and lifestyle.

This deep ethical compromise by 23andMe is personal for me, and not because I have sent them any DNA samples – I haven’t and I never would. But because, when questioned publicly about their trustworthiness by me and others close to me, 23andMe has not tried to explain its policies, but has simply attacked the questioners in public. Methinks the amoral vultures doth protest too much.

For example, a couple of years ago, my friend, co-author and privacy expert Theresa Payton noted on a Fox News segment that people who provide DNA information to 23andMe do not know how such data will be used because the industry is not regulated and the company could change its policies any time. 23andMe was prompt and nasty in its response, attacking Ms. Payton on Twitter and probably elsewhere, claiming that the 23andMe privacy policy, as it existed at the time, was proof that no surprises could ever be in store for naïve consumers who gave their most intimate secrets to this company.

[BTW, for the inevitable attacks coming from 23andMe and their army of online protectors, the FTC endorsement guidelines require that if there is a material connection between you and 23andMe, paid or otherwise, you need to clearly and conspicuously disclose it.]

Clearly Ms. Payton was correct and 23andMe’s attacks on her were simply wrong.

Guess what? According to the Wall Street Journal, 23andMe sold a $300 MM stake in itself to GlaxoSmithKline recently and, “For 23andMe, using genetic data for drug research ‘was always part of the vision,’ according to Emily Drabant Conley, vice president and head of business development.” So this sneaky path is not even a new tactic. According to the same WSJ story, “23andMe has long wanted to use genetic data for drug development. Initially, it shared its data with drug makers including Pfizer Inc. and Roche Holding AG ’s Genentech but wasn’t involved in subsequent drug discovery. It later set up its own research unit but found it lacked the scale required to build a pipeline of medicines. Its partnership with Glaxo is now accelerating those efforts.”

And now 23andMe has licensed an antibody it developed to treat inflammatory diseases to Spanish drug maker Almirall SA. “This is a seminal moment for 23andMe,” said Conley. “We’ve now gone from database to discovery to developing a drug.” In the WSJ, Arthur Caplan, a professor of bioethics at NYU School of Medicine said “You get this gigantic valuable treasure chest, and people are going to wind up paying for it twice. All the people who sent in DNA will be paying the same price for any drugs that are developed as anybody else.”

So this adds another ironic dimension to the old television adage, “You aren’t the customer, you are the product.” You pay to provide your DNA – the code to your entire physical existence – to a private company. Why? Possibly because you want information that may affect your healthcare, but in all likelihood you simply intend to use the information for general entertainment and information purposes.

You likely send a swab to the DNA company because you want to learn your ethnic heritage and/or see what interesting things they can tell you about why you have a photic sneeze reflex, if you are genetically inclined to react strongly to caffeine, or if you are carrier of a loathsome disease (which you could learn for an additional fee). But the company uses the physical cells from your body not only to build databases of commercially valuable information, but to develop drugs and sell them to the pharmaceutical industry. So who is the DNA company’s customer? 23andMe and its competitors take physical specimens from you and sell products made from those specimens to their real customers, the drug companies and the data aggregators.

These DNA processing firms may be the tip of the spear, because huge data companies are coming for your health information. According to the Wall Street Journal,

“Google has struck partnerships with some of the country’s largest hospital systems and most-renowned health-care providers, many of them vast in scope and few of their details previously reported. In just a few years, the company has achieved the ability to view or analyze tens of millions of patient health records in at least three-quarters of U.S. states, according to a Wall Street Journal analysis of contractual agreements. In certain instances, the deals allow Google to access personally identifiable health information without the knowledge of patients or doctors. The company can review complete health records, including names, dates of birth, medications and other ailments, according to people familiar with the deals.”

And medical companies are now tracking patient information with wearables like smartwatches, so that personally captured daily health data is now making its way into these databases.

And, of course, other risk issues affect the people who provide data to such services.  We know through reporting following the capture of the Golden State Killer that certain genetic testing labs (like GEDMatch) have been more free than others with sharing customer DNA with law enforcement without asking for warrants, subpoenas or court orders, and that such data can not only implicate the DNA contributors but their entire families as well. In addition, while DNA testing companies claim to only sell anonymized data, the information may not remain that way.

Linda Avey, co-founder of 23andMe, concedes that nothing is foolproof. She told an online magazine, “It’s a fallacy to think that genomic data can be fully anonymized.” This articles showed that researchers have already re-identified people from their publicly available genomic data. For example, one 2013 study matched Y-chromosome data with names posted in places such as genealogy sites. In another study that same year, Harvard Professor Latanya Sweeney re-identified 84 to 97 percent of a sample of Personal Genome Project volunteers by comparing gender, postal code and date of birth with public records.

2015 study re-identified nearly a quarter of a sample of users sequenced by 23andMe who had posted their information to the sharing site openSNP. “The matching risk will continuously increase with the progress of genomic knowledge, which raises serious questions about the genomic privacy of participants in genomic datasets,” concludes the paper in Proceedings on Privacy Enhancing Technologies. “We should also recall that, once an individual’s genomic data is identified, the genomic privacy of all his close family members is also potentially threatened.” DNA data is the ultimate genie, that once released from the bottle, can’t be changed, shielded or stuffed back inside, and that threatens both the data subject and her entire family for generations.

And let us not forget the most basic risk involved in gathering important data. This article has focused on how 23andMe and other private DNA companies have chosen to use the data – probably in ways that their DNA contributing customers did not truly understand – to turn a profit for investors.  But collecting such data could have unintended consequences.  It can be lost to hackers, spies or others who might steal it for their own purposes.  It can be exposed in government investigations through subpoenas or court orders that a company is incapable of resisting.

So people planning to plaster their deepest internal and family secrets into private company databases should consider the risks that the private DNA mills don’t want you to think about.


Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.

For more in health data privacy, see the National Law Review Health Law & Managed Care section.

Vaping Businesses Catch a Bad Rap: The Recent Ban of ALL Vaping Products in Massachusetts Unfairly Prejudices the Vape Industry and Vape Consumers

Massachusetts has taken a drastic and abrupt step by banning the sale of all vaping products, nicotine and THC, within its state borders for the next four months. This drastic and sweeping prohibition against vaping products will have far-reaching economic consequences for many small businesses that make up the bulk of this new and burgeoning industry. The root cause of the recent vaping-related illnesses appears to be the result of illicit and unregulated THC cartridges from the black market.

Reports and Causes

Dr. Michael Siegal, a professor at Boston University’s School of Public Health, recently stated: “Given the fact that close to 90% of the cases and 100% of the deaths for which products have been reported are associated with marijuana vaping, it is inexcusable that the CDC [Centers for Disease Control and Prevention] fails to distinguish between the products being vaped.” The communications from CDC also have failed to distinguish between vaping oil-based e-liquids − which were used in the illicit THC cartridges that have given rise to multiple arrests in Arizona and Wisconsin and cause lipoid pneumonia − and the water/alcohol-based e-liquids that are used in virtually all e-cigarettes. More troubling is the fact that the media largely has overlooked that the manufacturers of nicotine-containing e-liquids filed their ingredient lists with the FDA years ago.

On September 27, 2019, the CDC released the following information:

  • There are 805 lung injury cases reported from 46 states and 1 U.S. territory. Twelve deaths have been confirmed in 10 states.
  • CDC has received sex and age data on 771 patients.
    • About 69% of patients are male.
    • Nearly two thirds (62%) of patients are 18 to 34 years old; with 22% of patients between 18 and 21.
    • Sixteen percent of patients are under 18 years of age.
  • All reported patients have a history of e-cigarette product use or vaping.
  • The latest findings from the investigation into lung injuries associated with e-cigarette use or vaping suggest products containing THC play a role in the outbreak.
    • CDC has received data on substances used in e-cigarettes or vaping products in the 30 days prior to symptom onset among 514 patients:
      • About 77% reported using THC-containing products; 36% reported exclusive use of THC-containing products.
      • About 57% reported using nicotine-containing products; 16% reported exclusive use of nicotine-containing products.

While some policy makers appear to be confused over the cause of the recent reports of lung disease, there is no coincidence that the recent use of vitamin E acetate and possibly other unapproved thickening agents by the illicit THC manufacturers caused the public health crisis that prompted Massachusetts’s ban of all vapor products. One should ask whether it makes sense that vaping nicotine e-liquids, which have been available since at least 2007, would suddenly cause lipoid pneumonia lung disease (which is a rare condition that occurs when fat particles enter the lung) disproportionately in white males with an average age of 19.

Impact of the Ban

The abrupt action of Massachusetts resembles the witch hunts of that former colony’s past. With a single stroke of a pen on an emergency order from Governor Charlie Baker, Massachusetts has foreclosed the right of its citizens to their freedom of choice, denying them the right to an arguably safer alternative to smoking cigarettes, and caused far-reaching economic harm to many small businesses that manufacture and sell vaping products. Such an action will surely cause many bankruptcies, as these legal businesses can no longer afford to pay rent or buy products made and/or sold by other U.S. companies, pay salaries to employees, or pay taxes to Massachusetts and the federal government.

The economic impact of the vaping industry in the United States in 2018 was almost $24 billion, which means that the impromptu actions of Massachusetts will likely cause a reversing trend and cast a negative shadow over a legitimate and safe industry. The broad scope of the ban smacks of an unconstitutional taking of property without due process. Many affected businesses will have difficulty surviving without four months of revenue, which is why national trade organizations such as The Vapor Technology Association and others are considering legal options.

Call for International Forum on Safety and Health Benefits

Unfortunately, as the witch hunts continue, consumers will not be safer. Any person who was vaping legal nicotine containing e-liquids rather than smoking combustible cigarettes will have to make the choice to return to smoking combustible cigarettes or buy a black market e-liquid product. Citizens of Massachusetts who legally use THC through vaping for medicinal purposes also will be affected by the ban. Since all the data shows the lung disease breakouts were overwhelmingly caused by illicit THC cartridges made with vitamin E acetate or other unregulated thickening agents, the public health ban on legitimate products only increases the black market demand and the risk of illicit THC cartridges finding their way back into the hands of consumers, in addition to creating a black market for nicotine e-liquids while the CDC warns consumers not to buy these products off the street

The manufacturers of both nicotine-containing e-liquids and THC-containing products support meaningful regulation so health problems caused by illicit manufacturers can be prevented. A sensible public health strategy devised by the federal government likely could have prevented many of these illnesses and deaths by stopping unregulated illicit-market THC vape products from getting into the hands of consumers. But the voices of science and good public policy are falling on deaf ears while legitimate small businesses are being harmed and consumer choices for legitimate products are being eliminated.

One can only hope that Massachusetts reconsiders this ban and that other states do not follow this type of overreaching prohibition. Public policy regulators should discuss these issues in an international forum such as The E-Cigarette Summit, where the public health benefits experienced by the UK and other countries as well as the detailed facts of the recent cases of lung disease can be debated before businesses are closed. Until then, the black market profits while legal small businesses are “vaporized.”


© 2019 Wilson Elser

For more on vaping regulation, see the National Law Review Products Liability page.

U.S. Dealing with Several Hepatitis A Outbreaks, Including One Due to Food Worker Infection

Public health officials in Mendham, New Jersey are dealing with a relatively rare instance of a foodborne hepatitis A outbreak due to an ill food handler.  The employee has been linked to illnesses in 27 people, with 1 death reported.

According to the Centers for Disease Control and Prevention, foodborne outbreaks of hepatitis A are not common in the U.S.  CDC does not recommend that all food service workers receive routine vaccination against hepatitis A—except in areas with an active community-wide outbreak and where state and local health authorities (or private employers) indicate that vaccination would be cost-effective.

There are hepatitis A outbreaks in Alabama and Nevada where infected food handlers have been identified but where illnesses have not been traced to such workers.  Twenty-five counties in Alabama are reporting cases of hepatitis A in an outbreak that has been ongoing since September 2018, including among food workers; officials are urging food handlers in that area to get vaccinated.  Officials in Las Vegas, which also has an ongoing outbreak with 86 cases and one death, have warned customers who purchased non-prepackaged foods at a 7-Eleven store where a worked tested positive for hepatitis A to be on the lookout for symptoms.

CDC’s hepatitis A surveillance is updated through 2016.  Thus, it is not yet clear whether the 2019 cases reflect a marked increase in the incidence of hepatitis A in the U.S.



© 2019 Keller and Heckman LLP

Fiduciary Risk in Data Privacy and Cybersecurity? You Bet!

Health plan administrators are (or certainly should be) well-versed in their obligations under the Health Insurance Portability and Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH). Failure to secure protected health information (PHI) from disclosure can result in civil monetary penalties of up to $1.5 million and potential criminal penalties of up to 10 years’ imprisonment. Penalties of this size have the tendency to get people’s attention. But, if you are a retirement plan fiduciary or administrator (which likely includes officers and other senior-level executives at a company), are you aware of your obligations to protect sensitive data and other personal information in your control and the control of your vendors?

Retirement plans store extensive personal data on each participant and beneficiary. This data ranges from Social Security numbers and addresses to dates of birth, bank account and financial information, and other records and is stored physically and in electronic forms for years, if not decades. The term often used for this type of information is “personal identifiable information” (PII). While stored, numerous human resources and benefits department personnel, participants, beneficiaries, recordkeepers, trustees, consultants, and other vendors have access to some or all of this highly sensitive information. The extensive trove of PII presents an attractive, and often undersecured and easily exploitable, opportunity for criminals intent on stealing identities or on the outright theft of plan assets and benefit payments.

Federal laws similar to HIPAA but applicable to retirement plans have not (yet) been enacted. However, this does not mean that retirement plan fiduciaries and administrators are off the hook. Under the Employee Retirement Income Security Act of 1974 (ERISA), as amended, a fiduciary is required to discharge his or her duties solely in the interests of plan participants and beneficiaries, and, in doing so, must adhere to a standard of care frequently described as the “prudent expert” standard. Under this standard, it is not difficult to conclude that a retirement plan fiduciary who does not take certain precautions with regard to the protection of PII may be in breach of his or her fiduciary duty. And, although a breach of an ERISA fiduciary duty does not trigger clear statutory penalties like those applicable under HIPAA and HITECH, under ERISA, fiduciaries are personally liable for their fiduciary breaches.

So, what precautions should retirement plan fiduciaries take to help ensure that they have fulfilled their fiduciary duties with respect to data privacy and cybersecurity? What should a fiduciary do in the event of a data privacy or cybersecurity breach? Presently, 47 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted some form of breach notification law, and it is unsettled whether these breach notification laws are preempted by ERISA.

Copyright © 2016 by Morgan, Lewis & Bockius LLP. All Rights Reserved.

Bipartisan Budget Act of 2015 – Potential Impact on Hospitals

House Republican leaders introduced legislation on Monday, finalizing a two-year budget agreement between Congressional leaders and the White House. This legislation is currently being considered and may be up for a vote as early as Wednesday on the bipartisan budget deal.

Hospitals should note the language in Section 603 (which is on pages 35-39 of the draft bill) codifies the definition of a “provider-based off-campus hospital outpatient department” (PBD HOPD) as a location that is not on the main campus of a hospital and is located more 250 yards from the main campus.  The section defines a “new” PBD HOPD as an entity that executes a CMS provider agreement after the date of enactment of the Act and that any NEW PBD HOPD executing a provider agreement after the date of enactment would not be eligible for reimbursements from CMS’ Outpatient Prospective Payment System (PPS).

Bipartisan Budget Act of 2015

Section-by-Section Summary

©2015 Epstein Becker & Green, P.C. All rights reserved.