Blog

By: Carolyn J. Johnsen, Senior Partner, Dickinson Wright, PLLC

Financial distress in the health care sector has reached a new high as demonstrated by the number of bankruptcies filed by health care-related companies in the past year. Many analysts have attributed the cause of this massive increase to the Pandemic era when various government protection and stimulus programs provided entities with much-needed cash that in many cases was depleted without the recipient addressing and solving its internal problems. The pre-Pandemic problems unfortunately still have persisted in many instances and health care administrators and professionals are now challenged with developing solutions.  A bankruptcy may provide the best strategic option.

WHAT CAN A BANKRUPTCY ACCOMPLISH?

A common misconception is that an entity or individual must be insolvent in order to file bankruptcy.  That is not the case and in fact, a solvent entity may file for any number of reasons simply to take advantage of bankruptcy code provisions designed to assist it with a reorganization plan.  Clearly, the negative stigma of filing a bankruptcy no longer exists as it has now been recognized as a valuable business tool. Bankruptcy offers a means to an end whether the goal is to stabilize and continue operations or sell or merge the business. The bankruptcy provides the time necessary to structure a realistic solution that benefits all stakeholders. Another misconception is that upon filing, a bankruptcy trustee will take over the business and immediately liquidate the assets.  This is also untrue.  A Chapter 11 bankruptcy is designed to allow current management to remain in place as a “debtor-in-possession” to either reorganize the business or sell it in an orderly fashion to maximize proceeds for the benefit of all constituents.  Overall, a bankruptcy can provide the path to attain a company’s short term or long term goals, particularly in this distressed environment – all with less or controlled risk.

STEP ONE – ESTABLISHING THE GOAL

The most common feature of a financially distressed business is likely a shortage of liquidity. But, what is the cause?  In general the across-the-board external factors have included a rise in labor costs, increase in interest rates and overall inflation, and, of course, the persistent and fluid regulatory overlay that affects reimbursement rates. All affect cash flow.  While these problems are not within immediate control, a health care company needs to be prepared to react to this pervasive stress. On an internal basis, problems may vary but consistently involve management’s juggling of compliance and patient needs with the plain and simple challenges of paying lenders, landlords and vendors. Solutions for these issues are within reach.

First and foremost, the entity’s or group’s mission must be determined or repurposed.  Some hospitals want to grow; others are happy to merge.  Some physicians what to become employees; others do not.  Some entities are saddled with an outdated legacy operating model; others have solvable cost containment issues.  In all cases, just like any business outside of the health care space, there needs to be a business plan.  The focus should be that if today, the business is at point A, what is point B. Is it trying to grow, is it trying to shrink, is it trying to reduce debt and stay in business, is it in need of a management succession plan, is it time to sell?  Once these basic goals are established, then the granular problems can be analyzed to develop a solution. 

STEP TWO – PINPOINTING THE PROBLEM

          By statute, (the federal Bankruptcy Code), a debtor in bankruptcy has at its disposal certain valuable powers. These include an instantaneous stay of all payments to creditors and all lawsuits that may have been levied against the debtor.  The so called “automatic stay”[1] gives the entity a respite from its current cash drain and the chance to negotiate with its creditors and perhaps its shareholders.  In addition, the debtor has the ability to reject, thereby cancelling burdensome contracts and leases[2], may be able to modify its secured debt, and may be able to reduce past vendor liabilities.  Thus, initially it is critical to analyze cash in and cash out:  can the revenue stream be increased by rejecting a poor provider agreement or by better collections; is the entity suffering under a lease which is above market rent; are there staffing issues?  Once these issues are identified, the entity can weigh its options of whether to restructure its debt and equity structure and continue operations or effectuate a sale or merger.  Again, bankruptcy may be the appropriate strategy.

STEP THREE – IMPLEMENTING A SOLUTION

Out-of-Court

The terms “restructuring” or “work-out” are part of the financial distress lexicon. These concepts refer to out-of-court efforts to negotiate better terms with problematic lenders, landlords or vendors.  To be sure, this alternative is less expensive and should be considered and attempted prior to resorting to bankruptcy protection which necessarily involves multiple parties—secured creditors, unsecured creditors, equipment lessors, investors, employees, landlords—not to mention a judge who referees everything.    However, often the various issues cannot be resolved out of court because a counter party demands unreasonable concessions that would not have to be given up in a bankruptcy or because the problems are easier resolved in a single forum.  

Classic Reorganization

Commencement of a Chapter 11 bankruptcy case[3] is procedurally the same whether the debtor desires to continue operations or sell or merge its business.  In the case of a debtor that is going forward or merging with another entity, the ultimate strategy is embodied in a plan of reorganization.  That plan will set forth how the business will be financed, how creditors will be paid, and how equity will be structured. It may be a lengthy process, certainly no shorter than a year, and will undoubtedly involve negotiations with the various factions involved.  At the end, however, the entity has the opportunity to emerge revitalized with a new balance sheet.   

Case in point:  An example of a successful plan of reorganization that incorporated multiple bankruptcy tools and strategies is the case of a 32-bed surgical hospital in Phoenix owned by a group of 15 physicians.  The entity was in financial distress because of flailing management, poor performing provider contracts, and shareholders who were not engaged.  At the time of filing, the unsecured debt to vendors had grown exponentially and there was little hope that creditors could be repaid any significant amount of their claims.   A Chapter 11 was filed, bad contracts were rejected, management was replaced, and a merger partner was located.  The ultimate plan provided for payment to creditors in full and a 13 percent return to equity. 

Sub-Chapter V for Small Debtors

A Chapter 11 bankruptcy can alleviate pressures a company is experiencing with its creditors and provide a chance to continue its operations.  But, it can be a complicated, lengthy, and expensive process that makes it difficult for a small business to actually reorganize. However, one benefit emanating from the Pandemic crises was an amendment to the Bankruptcy Code that provides for a streamlined version of a Chapter 11 reorganization known as a Sub-Chapter V. Sub-Chapter V is designed to increase access and the ease of reorganization for small business debtors by relaxing the requirements of an ordinary Chapter 11 and allowing business owners to retain more control over their companies. It may offer the ideal solution for a small physician practice, a small hospital or nursing facility.[4] 

          A Sub-Chapter V Debtor can be an individual or a company so long as it is engaged in commercial or business activity and at least 50 percent (50%) of the debt arose from such activity. The debtor can only have a maximum aggregate liquidated non-contingent secured and unsecured debt totaling $7,500,000.[5]   Although a Chapter V Trustee is appointed, the debtor remains a debtor-in-possession of its assets and the plan process is extremely pared down.  The Trustee’s principle obligation is to facilitate a consensual plan of reorganization.  Simplistically, the debtor can confirm a plan if it pays its unsecured creditors its projected “disposable income” (defined as funds not reasonably necessary to ensure the continued operation of the business) over a period of three to five years. The debtor can still implement other aspects of the Bankruptcy Code to modify secured claims and reject contracts.

The Bankruptcy Sale

In the past decade, sales in bankruptcy have become predominant.  The term “363 sale” refers to the section 363 of the Bankruptcy Code which permits a debtor to sell its assets free and clear of liens and interests.  For buyers, a bankruptcy sale provides the opportunity to grow or enhance business, find synergies, or acquire assets at a reduced price. For sellers, a bankruptcy sale provides the opportunity to regain financial stability in a period of decreased revenues and lack of cash, divest some or all assets, and pay debt. Most important is that the sale is blessed with a court order approving the sale that likely will include findings that there is no successor liability for the buyer and that the sale process was completed in good faith and for adequate consideration. Many buyers insist on a sale occurring in a bankruptcy because of the protections it offers and may be willing to finance it.

For the most part, bankruptcy sales are always subject to higher and bidder bids and therefore the debtor will establish bid procedures and an auction date.  The debtor will have to demonstrate that its assets were marketed sufficiently.  It may have a stalking horse bidder whose bid establishes a floor price. The stalking horse bidder may seek bid protections such as a break-up fee and expense reimbursement. The entire process is typically an expedited procedure requested by the debtor often under pressure and at the insistence of a secured creditor. 

In the sale context, the debtor works with the proposed buyer to assign to it the contracts and leases it desires for the continued operation of the business.  The funds required to cure the monetary defaults for those assigned contracts are typically part of the purchase price[6].  The remainder are rejected by the debtor. 

For buyers, the benefits of a bankruptcy sale include speed (although due diligence is on a shortened time frame), price, and the reduced risk of successor liability or claw-back.  It obtains the assets without the liabilities which stay with the debtor. The detriments include the risk of overbid by another buyer that drives the price up or wins the deal, difficulty in dealing with all the competing interests in the case, and competition and public disclosure.

For the seller debtor entity, the benefits include speed and the re-payment of a greater amount of debt from the proceeds of the sale. The detriments include whether the debtor can survive in a bankruptcy case long enough to complete the sale and whether stakeholders are willing to consent and/or negotiate through the process

Case in point:  In August, a 33-bed community hospital filed Chapter 11 in Dallas, Texas and immediately sought to have a sale of all of its assets.  The hospital was built in 2019 but its business plan did not anticipate the high costs to “ramp up” before revenues could increase and stabilize and it was suffering large losses.  In order to have the time necessary to hold an auction and complete a sale, the debtor had to obtain financing so the hospital could continue operations prior to sale. After extensive marketing, the debtor held a robust auction at which time a large hospital chain that was anxious to expand its footprint in the Dallas market purchased the hospital at a higher price than was originally projected.  The debtor subsequently filed a plan to distribute the proceeds of the sale.

OVERALL CONSIDERATIONS FOR HEALTH CARE ENTITIES

In health care bankruptcies, judges are exceptionally cognizant of the need to protect patients. In fact, in almost every case involving patients, the judge will appoint a patient ombudsman who is tasked to regularly inspect and report on the operations of the debtor and its standard of care. While this may seem an intrusion to the debtor’s operations, the debtor’s relationship with and assistance to the ombudsman can be beneficial to the debtor’s goals in the case.

Although Bankruptcy Courts are courts of equity, judges typically disdain fraud. Consequently, problems that have occurred with improper billings or reimbursements will likely not be remedied in a bankruptcy case. Nonetheless, for the honest debtor, the court  is likely to be empathetic with the debtor’s need to keep operations alive, whether through its own actions or a sale, the need to pay physicians and staff, and the need to protect the community interest for which the debtor may serve.

CONCLUSION

No one can predict what lies ahead for the health care industry as a whole, and although external factors cannot be solved, from distress may come opportunity. Bankruptcy alternatives may provide the right business strategy and legal tools for solving financial issues.

---

[1] Section 362 of the Bankruptcy Code.

[2] Section 365 of the Bankruptcy Code.

[3] For purposes of this article, the author is assuming that the entity or group is seeking to either reorganize its operations or is seeking a sale or merger and hence, a Chapter 11 is appropriate. Pure liquidations under Chapter 7 of the Bankruptcy Code in which a trustee is appointed to seek full control of the debtor’s business and sell its assets is not discussed here.

[4] For example, in mid-March 2024, a group of four skilled nursing facilities filed a Sub-Chapter V in Eastern Texas to address severe cash problems. 

[5] When the bill was passed, the original debt ceiling was $2,725,625 but was increased by amendment during the Pandemic.  The current $7.5 Million ceiling is set to revert to the original ceiling in June 2024; however, bankruptcy analysts and experts predict that Congress will act to preserve the current amount.

[6] Bankruptcy Courts are not entirely consistent in how Medicare provider contracts overseen by the Health and Human Services Department are treated in sale situations.  It is important to be aware of how HHS may treat the contract in a particular jurisdiction and also to be prepared to negotiate its particular issues. 

By: Max Mashal, Juris Doctor Candidate (Class of 2025), Sandra Day O’Connor College of Law at Arizona State University

Introduction

On September 29, 2023, the U.S. Food and Drug Administration (FDA) announced a proposed rule that would classify laboratory-developed tests (LDTs) as “devices” under the Federal Food, Drug, and Cosmetic Act (FDCA) by amending the definition of in vitro diagnostic products (IVDs) under 21 C.F.R. § 809.3(a).[1] If this rule is implemented, LDTs will now have to meet the same regulatory standards as other FDA-regulated medical devices.[2]

Laboratory-Developed Tests

Laboratory-developed tests are in vitro diagnostic products that are designed, manufactured, and used within a single clinical laboratory which meets certain laboratory requirements (including CLIA certification).[3] Until recently, LDTs were mainly used for rare diseases and low-volume testing.[4] Now, they are widely-used by a more diverse population, thanks to high-tech instrumentation and software.[5] LDTs can now be used to diagnose and treat complex diseases, act as companion diagnostics for personalized medicine, and can be rapidly adapted to address emergency responses.[6]

However, unlike other IVDs, LDTs have not historically been subject to the FDA’s regulatory oversight.[7] The FDA has exercised enforcement discretion over LDTs for decades, allowing them to enter the market without FDA approval or clearance.[8] This has created a regulatory gap that poses significant risks to public health, as some LDTs may be inaccurate, unsafe, or ineffective.[9]

Phasing Out the FDA’s Enforcement Discretion Policy

Under the proposed rule, the FDA would implement a phased approach to end its enforcement discretion policy over a period of one to four years after the publication of the final rule.[10] The transition period would vary depending on the risk level of the LDTs, with high-risk tests being subject to premarket review earlier than moderate-risk or low-risk tests.[11] The FDA estimates that about 50% of the current LDTs are low-risk tests that may be exempt from premarket review under the new regulations.[12]

Under the proposed rule, the FDA has structured the phaseout policy as follows:

• One Year After Publication: The FDA’s general enforcement discretion approach would end with respect to Medical Device Reporting (MDR) requirements, as well as correction and removal reporting requirements.
• Two Years After Publication: Enforcement discretion would also end for other requirements. This would exclude MDR, correction and removal reporting, Quality System (QS) regulations, and premarket review. LDTs will then need to comply with FDA regulations related to registration, listing, labeling, and investigational device exemptions.
• Three Years After Publication: Enforcement discretion would end for QS requirements.
• Three and a Half Years After Publication:[13] Enforcement discretion would end for premarket review requirements for high-risk IVDs, subjecting Class III LDTs to full Pre-Market Approval requirements under the FDCA.
• Four Years After Publication:[14] Enforcement discretion would end with respect to premarket review requirements for moderate and low risk IVDs needing premarket review. Class II and certain Class I LDTs would need to meet full 510(k) premarket and de novo requirements under the FDCA. The proposed rule suggests the FDA will not enforce actions against LDTs for which 510(k)s and de novo applications are submitted within this four-year period until the FDA review concludes.

Closing the Theranos Loophole

The FDA’s proposed rule aims to ensure the safety and effectiveness of LDTs, foster innovation, and align with evolving healthcare needs. It also intends to close a loophole which has been exploited by companies like Theranos, a startup that claimed to offer revolutionary blood tests that could perform hundreds of analyses with a single drop of blood.[15] Theranos’ tests were found to be unreliable, inaccurate, and fraudulent, putting patients at risk of misdiagnosis and mistreatment.[16] The company was able to market its tests without FDA approval by exploiting this regulatory loophole for LDTs.[17] The FDA’s proposed rule is intended to prevent such cases from happening again by requiring all LDTs to comply with the same regulatory standards as other medical devices.[18]

Conclusion

The FDA’s proposed rule is expected to face challenges and legal disputes from stakeholders who may oppose the agency’s authority over LDTs or fear the impact of the proposed regulations on their businesses.[19] The public comment period for the proposed rule closed on December 04, 2023.[20]

---

[1] Medical Devices; Laboratory Developed Tests, Federal Register (2023), https://www.federalregister.gov/documents/2023/10/03/2023-21662/medical-devices-laboratory-developed-tests (last visited Oct 11, 2023).

[2] Harsh Parikh et al., FDA proposes new regulations to increase oversight of Laboratory Developed Tests, Nixon Peabody LLP, https://www.nixonpeabody.com/insights/alerts/2023/10/11/fda-proposes-new-regulations-to-increase-oversight-of-laboratory-developed-tests (last visited Dec 18, 2023).

[3] Center for Devices and Radiological Health, Laboratory Developed Tests, FDA (2023), https://www.fda.gov/medical-devices/in-vitro-diagnostics/laboratory-developed-tests (last visited Oct 11, 2023).

[4] Office of the Commissioner, FDA Proposes Rule Aimed at Helping to Ensure Safety and Effectiveness of Laboratory Developed Tests, FDA (2023), https://www.fda.gov/news-events/press-announcements/fda-proposes-rule-aimed-helping-ensure-safety-and-effectiveness-laboratory-developed-tests (last visited Oct 11, 2023).

[5] Federal Register, supra note 1, at 3.

[6] An introduction to diagnostic testing in laboratories—US, https://www.thermofisher.com/us/en/home/clinical/clinical-genomics/molecular-diagnostics/diagnostic-testing-laboratories-intro.html (last visited Dec 18, 2023).

[7] Federal Register, supra note 1, at 3.

[8] Office of the Commissioner, supra note 4.

[9] Id.

[10] Federal Register, supra note 1, at 19.

[11] Id.

[12] Id. at 8; See also Inside FDA’s Proposed Rule to Regulate LDTs, https://www.thefdagroup.com/blog/fda-proposed-rule-ldt (last visited Dec 18, 2023).

[13] But no earlier than October 1, 2027.

[14] But no earlier than April 1, 2028.

[15] Kezia Parkins, The Theranos saga: a wake-up call for the lab-developed test market, (2022), https://www.medicaldevice-network.com/features/theranos-ldt-regulation/ (last visited Oct 11, 2023).

[16] Id.

[17] Id.

[18] See Office of the Commissioner, supra note 4.

[19] Gregory Levine, Joshua Oyster & Michael Purcell, Regulation Without Legislation: FDA Proposes Rule to Regulate Laboratory Developed Tests and End Historical Enforcement Discretion Policy | Insights | Ropes & Gray LLP, (2023), https://www.ropesgray.com/en/insights/alerts/2023/10/regulation-without-legislation-fda-proposes-rule-to-regulate-laboratory-developed-tests (last visited Oct 11, 2023).

[20] Federal Register, supra note 1, at 2; Center for Devices and Radiological Health, supra note 4.

By Kaytie Ravega, partner at Quarles & Brady LLP, with contributions from partner Ted Sullivan and associates Ashleigh Giovannini, Shamika Mazyck, Jacob Pallotta, and Monica Wright, who thankfully watched the DEA listening sessions referenced below in shifts to capture the threads and important points raised by the many speakers on this critical topic.

Introduction to federal law regulating telemedicine controlled substance prescribing, circa 2009 through 2020

It is well known that the Drug Enforcement Administration (“DEA”) requires a prior in-person visit before a healthcare provider may prescribe a controlled substance to a patient during a telemedicine encounter.  This is a component of the Ryan Haight Act (the “Act”), a federal statute that took effect in 2009. Perhaps less familiar, the Act also includes a mandate to DEA to create a way for telemedicine providers to register or have some path to providing controlled substance prescriptions to their patients without the in-person visit requirement.  Developing a registration for telemedicine providers has apparently not been as easy as creating a separate registration number, such as the recently-retired “X” numbers for suboxone prescribing.  Rather, despite multiple instructions from Congress over the past decade, as well as pleas from industry leaders such as the American Hospital Association, DEA has not implemented an option for telemedicine providers to provide care for patients who require controlled substance prescriptions without the in-person visit.  The most recent Covid-19 public health emergency (“PHE”), however, continued to force the issue.

Attempts at regulating telemedicine controlled substance prescribing, circa 2023

During the PHE the in-person visit requirement for telehealth controlled substance prescribing was generally waived, with an express statement from DEA that the requirement would be restored once the pandemic ended. As the PHE rambled toward closure, on February 24, 2023 the Department of Health and Human Services (“HHS”), the Department of Veterans Affairs (“VA”), and DEA issued a Notice of Proposed Rulemaking (the “Proposed Rule”) proposing to permanently extend the PHE telemedicine prescribing flexibilities and requesting public comments on the proposal.  

In May 2023, the DEA published an alert indicating that it received more than 38,000 comments from industry stakeholders regarding the Proposed Rule. Because of this comment volume, the DEA announced the submission of a draft Temporary Rule to the Office of Management and Budget titled “Temporary Extension of COVID-19 Telemedicine Flexibilities for Prescription of Controlled Medications” (the “Temporary Rule”) with an effective date of May 11,^,2023. The Temporary Rule authorized providers to continue relying on the PHE telemedicine flexibilities for the prescription of controlled substances through November 11, 2023. Upon that expiration date, the Temporary Rule had stated that the full scope of telemedicine flexibilities will end for new relationships, and only be extended through November 11, 2024 for provider-patient telemedicine relationships established prior to or on November 11, 2023. 

As part of the planning for the Proposed Rule to become effective (once the Temporary Rule ended or at some other time to be determined) and to consider what additional changes may be needed in light of all the comments to the Proposed Rule, DEA hosted a two-day listening session on September 12 and 13, 2023 to empower “healthcare practitioners, experts, advocates, patients, and other members of the public” to voice their support for or objection to the provisions of the Proposed Rule. The stated goal of the listening session was to “receive additional input concerning the practice of telemedicine with regards to controlled substances and potential safeguards that could effectively prevent and detect diversion of controlled substances via telemedicine.”  In other words, DEA and the healthcare community at large face a challenge of competing interests in terms of telemedicine prescribing; specifically, how to support increased access to healthcare through telemedicine while managing the risk of diversion? 

Numerous presenters over the course of the two day event addressed a range of topics related to telemedicine prescribing, discussing:

• the need for more flexibility, away from the rigidity of the pre-PHE prior in-person visit requirement;
• concerns about ensuring prescriptions are valid and that provider-patient relationships exist;
• ensuring that pharmacies are not treated as a gatekeeping substitute for adequate enforcement against rogue prescribers;
• preventing telemedicine from being an avenue of diversion or fraud to the extent possible; 
• the critical role of telemedicine in access to care in multiple scenarios where many parts of the U.S. confront provider shortages, including mental health care, behavioral health, and chronic condition management of many kinds; 
• telemedicine’s effect on patient compliance with care and improved participation in care management, such as showing up for telemedicine visits more reliably and other key examples; 
• a wide range of proposals for recommended changes, including those who requested prohibiting some specific products or provider types, such as nurse practitioners and physician assistants, from controlled substance prescribing via telemedicine altogether; and
• whether DEA has a legitimate role in affecting telemedicine practice to the extent clinical care is affected, among many other points both for and against these examples.

In the face of all of this, to consider options and next steps, DEA again adjusted the compliant path.

The Current Rule, circa 2023-2024

Approximately a month after the listening sessions, on October 10, 2023, DEA, jointly with HHS, published a “Second Temporary Extension of COVID-19 Telemedicine Flexibilities for Prescription of Controlled Medications,” (the “Current Rule”).  Note that state requirements may vary from and be more stringent than DEA’s requirements.

The Current Rule extended and renewed the Temporary Rule, meaning that instead of ending on November 11, 2023, the flexibilities for controlled substance prescribing in place during the PHE are now extended through December 31, 2024. Further, the Current Rule authorizes all DEA-registered practitioners to prescribe Schedule II-V controlled substances via telemedicine until December 31, 2024, regardless of whether the practitioner established a telemedicine relationship with the patient prior to or on November 11, 2023. The DEA signaled that the agency chose to extend these flexibilities as it continues to evaluate the information gathered during the two-day listening session and develop new standards and/or safeguards for telemedicine prescribing of controlled medications. Drafters of the Current Rule indicated that DEA anticipates promulgating new rules in the Fall of 2024. 

Specifically, under the Current Rule, and if allowed by applicable state laws, controlled substance prescriptions may be issued during a telemedicine encounter, without a prior in-person visit, only if all of the following conditions are met: 

(1) The prescription is issued for a legitimate medical purpose by a practitioner acting in the usual course of professional practice; 

(2) The prescription is issued pursuant to a communication between a practitioner and a patient using an interactive telecommunications system referred to in 42 CFR § 410.78(a)(3) [a two way, audio video real time encounter];

(3) The practitioner is (i) authorized to prescribe the class of controlled substance specified on the prescription, or (ii) exempt from obtaining a registration to dispense controlled substances; and

(4) The prescription is consistent with all other applicable legal requirements.

See 21 CFR § 1307.41; 42 CFR § 12.1.

By: Nikki Hazelett, 2025 J.D. Candidate, Sandra Day O’Connor College of Law at Arizona State University

In early spring, the Drug Enforcement Agency (DEA) and Substance Abuse and Mental Health Services Administration (SAMHSA) issued a temporary regulation that extended specific telemedicine flexibilities that were initially implemented during the federal COVID-19 Public Health Emergency (PHE).

Per this extension, the DEA’s full set of COVID-19 waivers for prescribing controlled substances via telemedicine will remain viable until November 11, 2023. Provided such prescriptions comply with DEA regulations, physicians may continue to prescribe schedule II-V controlled medications through telemedicine without first conducting an in-person medical examination of the patient.

Additionally, the extension grants individuals who formed a practitioner-patient relationship via telemedicine on or before November 11, 2023, a one-year grace period through November 11, 2024, to continue utilizing PHE flexibilities for prescribing controlled medications through telemedicine.

The intended goal of the temporary extension is to prevent lapses in patient care, ensure the accessibility of telemedicine, and allow sufficient time for healthcare practitioners and patients to prepare for future regulations regarding prescribing controlled medications via telemedicine.

Ultimately, the DEA and SAMHSA anticipate enacting a final set of regulations concerning the practice of telemedicine. Until then, the federal government has determined this temporary regulation is “otherwise consistent with public health and safety,” allowing the DEA and Department of Health and Human Services (HHS) time to address the 38,396 public comments received on two previous notices of proposed rulemakings concerning telemedicine.

Legal Authority & Background:

The Ryan Haight Online Pharmacy Consumer Protection Act of 2008 (the Ryan Haight Act) amended the Controlled Substances Act by adding several new provisions regarding the illegal distribution of controlled substances over the internet. The Ryan Haight Act prohibits distributing and delivering controlled substances online without a valid prescription.[1] The Ryan Haight Act aimed to deter the exploitation of controlled substances through “rouge websites” and “online pharmacies” offering medications without a valid physician-patient relationship.

Implemented by the DEA, the Ryan Haight Act requires practitioners to perform in-person medical evaluations before prescribing controlled medications to patients via telemedicine. It also established seven “practice of telemedicine” exceptions, one of which authorizes the Attorney General and Secretary of Health and Human Services to promulgate rules allowing practitioners to prescribe controlled medications without conducting an in-person examination, provided the practice is in accordance with Federal and State law.

DEA & HHS Proposals:

In response to the COVID-19 PHE, the DEA granted temporary exceptions to both the Ryan Haight Act and the DEA’s power to implement regulations, which permitted physicians to prescribe controlled medications through telemedicine without a prior in-person medical examination. 

The DEA put forth these regulations via two published letters in 2020:

• A March 25, 2020 “Dear Registrant” letter signed by William T. McDermott, DEA’s then-Assistant Administrator, Diversion Control Division; and
• A March 31, 2020 “Dear Registrant” letter signed by Thomas W. Prevoznik, DEA’s then-Deputy Assistant Administrator, Diversion Control Division. 

Three years later, faced with the impending expiration of the COVID-19 PHE, the DEA and HHS promulgated two notices of proposed rulemakings (NPRMs) on March 1, 2023:

• “Telemedicine Prescribing of Controlled Substances When the Practitioner and the Patient Have Not Had a Prior In-Person Medical Evaluation” (the General Telemedicine Rule); and
• “Expansion of Induction of Buprenorphine via Telemedicine Encounter” (the Buprenorphine Rule). 

The proposed rules would establish limited circumstances where a practitioner may prescribe specific controlled medications to patients through telemedicine post-PHE. The agencies expressed a desire to transition seamlessly into post-PHE regulations and ensure patients have reliable access to controlled prescriptions via telemedicine consistent with “public health and safety, while maintaining effective controls against [drug] diversion.”

For example, the General Telemedicine Rule proposed a grace period of 180 days after the expiration of the COVID-19 PHE to extend telemedicine flexibilities to practitioner-patient relationships formed during COVID-19. 

The comment period for the proposed rules ran through March 31, 2023, and generated an astonishing 38,369 public comments. To effectively review these comments, the DEA and SAMHSA issued a temporary extension of PHE telemedicine flexibilities, as discussed above.

Public Response to the NPRMs:

The American Psychiatric Association (APA) was one among many organizations to submit a comment on the NPRMs. Notably, the APA cautioned the DEA from taking “too many steps backwards” and imposing futile restrictions on the practice of telemedicine during an “opioid public health emergency and nationwide mental health and access to care crisis.”

The APA produced five key recommendations that better balanced the DEA’s obligation to prevent drug diversion without restricting individuals’ access to life-saving technology. The recommendations include:

1. Allowance for referring practitioners to not be DEA-registered.
2. Reduction in administrative requirements for referring and prescribing practitioners.
3. Reduction in additional state-based registration requirements.
4. Removal of clinical decision-making from regulation in these proposed rules.
5. Clarification of key inconsistencies in the proposed rules.

The American Hospital Association (AHA) also submitted a comment letter to the DEA regarding the NPRMs. The AHA wrote that the exceptions for in-person medical evaluations under the Ryan Haight Act —specifically under the “other circumstances” catch-all— were opportunities for the DEA to build upon policies for the safe administration of prescriptions via telemedicine. However, the AHA felt that the DEA failed to expand upon prior policies and instead created “unnecessarily burdensome” limits to telemedicine that would adversely impact individuals’ access to healthcare.  

Conclusion:

The purpose of this rulemaking is to extend, for a limited period, the telemedicine flexibilities that existed during the federal COVID-19 PHE. Without this temporary regulation, the COVID-19 PHE telemedicine flexibilities for prescribing controlled substances would have expired at the conclusion of the PHE on May 11, 2023. Despite the uncertainty that lies ahead, the DEA and HHS now have time to address the 38,369 comments received in response to the two NPRMs. This extension will hopefully encourage the DEA to explore regulatory alternatives to expand access to telemedicine.

---

[1]  The term “valid prescription” means a prescription that is issued for a legitimate medical purpose in the usual course of professional practice by-

(i) a practitioner who has conducted at least 1 in-person medical evaluation of the patient; or

(ii) a covering practitioner. 21 USC § 829(e)(2).

Part Two of a Two-Part Series: Unprecedented FTC Enforcement of the Health Breach Notification Rule

By: Jeanne E. Varner Powell, The Risk Team, Mutual Insurance Company of AZ (MICA)

Part One of this series provided an overview of online tracking technologies, and summarized guidance provided in December, 2022, by the Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) for HIPAA covered entities addressing privacy concerns stemming from the use of online tracking technologies.

This segment will discuss enforcement by the Federal Trade Commission (“FTC”) of the Health Breach Notification Rule related to tracking technologies.

FTC Developments: The Health Breach Notification Rule – Uncertainty Ahead?

HIPAA covered entities are not the only ones that need to be aware of increasing regulatory scrutiny related to online tracking technology. The FTC is ramping up enforcement activity in this area against entities not subject to HIPPA.  Since 2021, the FTC has settled four significant cases involving alleged improper sharing of consumer health information with advertising platforms like Facebook and Google.[i]

In 2021, the FTC settled unfair and deceptive trade practices claims against FloHealth, the developer of the Flo Period & Ovulation Tracker app. The settlement resolved allegations that FloHealth utilized tracking technologies to share consumers’ sensitive health information with third parties for marketing and advertising purposes.[ii] On March 2, 2023, the FTC announced a proposed settlement of similar claims against BetterHelp[iii], an online mental health treatment company. Similar cases could be on the horizon.

Of particular significance, on February 1, 2023, the FTC announced resolution of its first-ever Health Breach Notification Rule (“HBNR”) action.[iv] The Respondent in that case was GoodRx, a digital health platform offering consumers prescription drug discounts and telehealth services. Just a few months later, on May 17, 2023, the FTC settled a second case involving HBNR claims, this time against Easy Healthcare, developer of the Premom Ovulation Tracking App.[v] Allegations from both cases are discussed in more detail below.

The HBNR was enacted in 2009, but until now it essentially sat idle. The Rule applies to certain non-HIPAA covered entities and imposes reporting requirements when there is a breach of individually identifiable health information.[vi] In 2021, the FTC significantly expanded its interpretation of what entities the HBNR covers and what constitutes a breach that triggers reporting requirements.[vii] Organizations not covered by HIPAA that collect consumer health data (or entities that do business with such organizations) should heed recent FTC activity as a sign to stay abreast of FTC communications about the HBNR and work closely with legal counsel to develop a compliance strategy.

Important HBNR Statutory Terms

To understand the significance of recent FTC actions involving the HBNR, knowledge of some of the statutory terms and definitions is essential.

• The Rule applies to “vendors of personal health records” (PHRs), a “PHR related entity” or a “third-party service provider for a vendor of PHRs or a PHR related entity.” It requires notification of individuals and the FTC following discovery of a “breach of security” of unsecured identifiable health information contained in a PHR maintained or offered by a vendor or related entity. Third-party service providers that discover such a breach are required to notify the vendor or related entity.[viii]

• A “personal health record” is “an electronic record of PHR identifiable information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.”[ix]

• A “vendor of personal health records” is “an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that offers or maintains a PHR.” [x]

• “PHR identifiable health information” is “individually identifiable health information, as defined in section 1171(6) of the Social Security Act (42 U.S.C. sec 1320d(6)), and, with respect to an individual, information that:

• Is provided by or on behalf of the individual; and

• That identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.”[xi]

• Under the Social Security Act definition, “individually identifiable health information” means any information, including demographic information collected from an individual that:

• is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

• relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and

• identifies the individual; or

• with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

• “Breach of security” means “with respect to unsecured PHR identifiable health information of an individual in a PHR, acquisition of such information without the authorization of the individual.”[xii]

History Behind GoodRx and Premom – Statement of the Commission on Breaches by Health Apps and Other Connected Devices

In 2020, with more consumers utilizing apps and other technology to stay on top of their health, the FTC recognized that “more companies may be covered by the FTC’s Rule.”[xiii] Accordingly, it initiated rulemaking proceedings and sought public input about potential modifications to the Rule’s definitions and scope. For example, it asked whether it should change the definitions of “PHR related entity,” “third-party service provider,” and “vendor of PHRs”. It also asked, “What are the implications (if any) for enforcement of the Rule raised by direct-to-consumer technologies and services such as mobile health apps, virtual assistants, and platforms’ health tools?”[xiv]

In September 2021, with the rulemaking process still ongoing, the FTC reversed course and published the Statement of the Commission on Breaches by Health Apps and Other Connected Devices[xv] (the “Statement”). The Statement announced for the first time, that the FTC would enforce the HBNR against health app and connected device developers as “health care providers”[xvi] and that it would interpret “breach” to include not just cyberattacks but also sharing of identifying health information without consumer authorization.[xvii] Two commissioners wrote dissents. Both criticized the Commission for publishing the statement without first concluding the ongoing rulemaking process that sought input on these very issues. In addition, they faulted the other commissioners for significantly expanding the Rule in conflict with statutory language, congressional intent, and the Commission’s previously published business guidance.[xviii]

The GoodRx Case

In the GoodRx case, the FTC charged that GoodRx engaged in unfair and deceptive practices in violation of the Health Breach Notification Rule and Section 5 of the FTC Act. [xix] The allegations in the Complaint tracked the FTC’s expanded interpretation of the HBNR as set forth in the Statement. For example, the FTC alleged that the unauthorized disclosures of consumers’ unsecured PHR identifiable health information to Facebook and Google via web trackers constituted a “security breach.” In support of its claim that GoodRx was a “vendor of PHRs,” the FTC alleged as follows:

• The website and mobile apps are electronic records of PHR identifiable information that are capable of drawing information from multiple sources, including:
  • inputs from users;
  • Medication Purchase Data, pricing, and refill information from Pharmacy Benefit Managers;
  • pharmacy information from pharmacies;
  • information about prescribed medications from healthcare professionals (such as the name of a medication prescribed during a telehealth session); and
  • users’ geographic location information from a third-party vendor that approximates geolocation based on IP address.
• The information is also managed, shared, or controlled by or primarily for the users. GoodRx lets users keep track of their personal health information, including to save, track, and receive alerts about their prescriptions, refills, pricing, and medication purchase history.

In addition, the FTC alleged that GoodRx broke numerous data privacy promises it made to customers including: 

• Promised users it would never share health information with advertisers or other third parties, yet used various tracking technologies to send sensitive information like users’ medications and health conditions to companies like Facebook and Google for the purpose of targeted advertising campaigns;
• Promised users that it would only disclose their personal health information for limited purposes, then shared users’ names, addresses, email addresses, phone numbers, and other personal identifiers with advertising platforms; and
• Promised consumers it would limit how third parties that received the information could use the information yet failed to do so.

Per the settlement, GoodRx will pay a $1.5 million penalty and be banned from sharing user health information with third parties for advertising purposes. In addition, GoodRx will need to obtain affirmative express consent from users before disclosing health information to third parties for purposes other than advertising, require third parties to delete data shared with third parties, restrict its data retention periods, and implement a comprehensive privacy program.[xx]

The Premom Case

According to the FTC’s Complaint, hundreds of thousands of women have input sensitive health information into the Premom app, including period dates and pictures of ovulation test strips the app uses for predicting the next ovulation cycle. Like GoodRx, in Premom the FTC claimed the app’s developer made promises it didn’t keep concerning collection and sharing of this “identifiable health information.” The Complaint alleged violations of both the FTC Act and the HBNR.

To support its claim that the app developer is a “vendor of personal health records,” the FTC alleged:

• Premom encourages users to upload ovulation tests and large amounts of information to the app;
• Premom encourages users to connect other apps and products to Premom and permit Premom to import health information from them; and
• Premom allows users to manage and control the PHR identifiable health information in the app and track their ovulation, menstruation, and other health information.

The FTC further asserted that Premom transferred unsecured PHR identifiable health information to third parties like Google and AppsFlyer without users’ authorization. According to the Complaint, these “breaches of security” occurred for years and Premom failed to make breach notifications required by the HBNR.

Under the terms of the settlement, Easy Healthcare (Premom’s owner and developer) will pay a $100,000 civil penalty and:

• Retain users’ personal information only as long as necessary to fulfill the purpose for which it was collected;
• Will not make misrepresentations about its privacy practices;
• Comply with HBNR notification requirements for any future breach of security;
• Seek deletion of data it shared with third parties;
• Notify consumers of the FTC’s allegations and the settlement; and
• Implement comprehensive security and privacy programs with strong safeguards to protect consumer data.

In addition, in a related case, Easy Healthcare will pay $100,000 combined to Connecticut, D.C., and Oregon for violations of their laws.[xxi]

Proposed Amendments to HBNR

The day after the Premom settlement announcement, the FTC voted unanimously to issue a Notice of Proposed Rulemaking to amend the HBNR.[xxii] The proposed amendments were filed in the Federal Register on June 9 and comments will be accepted until August 8, 2023. Briefly, some of the proposed changes include:

• Clarify the scope of the rule – Current definitions would be revised, and new definitions added, to clarify the FTC’s position that mobile health apps and similar technologies not subject to HIPAA are covered by the HBNR. With these changes, the FTC hopes to make clear that the HBNR applies generally to online platforms (“…including websites, apps, and Internet-connected devices…” providing health care services or supplies) and that it covers both medical and wellness services.

• “PHR related entity” definition changes – Revise the definition to clarify that only entities that access or send unsecured PHR identifiable health information to a personal health record (not those that send ANY information) qualify as PHR related entities.

• Require consumer authorization for sharing – Health apps would need to obtain consumers’ authorization to share their information with third parties and would be mandated to notify consumers in the event information is accessed without such authorization.

• “Breach of security” definition changes – This definition would be modified to align with the position the FTC took in GoodRx and Premom. It would include unauthorized disclosures to third parties as well as data security breaches, hacking, and other cyber incidents.

• Expand breach notice and content requirements – Email and other electronic methods could be used to send breach notifications to consumers. Breach notices would need to contain additional information, such as names of third parties who may have accessed information.

• Penalties – add a new section to the rule that states the penalties (up to $50,120 per violation per day) for non-compliance.

 For more detail, read the Proposed Amendments in full.

FTC publications

For more information on the FTC’s current interpretation of the HBNR, HBNR compliance, and other FTC enforcement activity, consult the following publications:

• Complying with FTC’s Health Breach Notification Rule

• First FTC Health Breach Notification Rule case addresses GoodRx’s not-so-good privacy practices

• FTC Business Guidance blog

---

[i] FTC Press Release (2021, January 13), Developer of popular women’s fertility-tracking app settles FTC allegations that it misled consumers about the disclosure of their health data. https://www.ftc.gov/news-events/news/press-releases/2021/01/developer-popular-womens-fertility-tracking-app-settles-ftc-allegations-it-misled-consumers-about; FTC Business Blog (2023, February 1), First FTC Health Breach Notification Rule case addresses GoodRx’s not-so-good privacy practices. https://www.ftc.gov/business-guidance/blog; FTC Business Blog (2023, March 3), FTC says online counseling service BetterHelp pushed people into handing over health information – and broke its privacy promises. https://www.ftc.gov/business-guidance/blog/2023/03/ftc-says-online-counseling-service-betterhelp-pushed-people-handing-over-health-information-broke; FTC Press Release (2023, May 17), Ovulation tracking app Premom will be barred from sharing health data for advertising under proposed FTC order.https://www.ftc.gov/news-events/news/press-releases/2023/05/ovulation-tracking-app-premom-will-be-barred-sharing-health-data-advertising-under-proposed-ftc

[ii] FTC Press Release (2021, January 13), Developer of popular women’s fertility-tracking app settles FTC allegations that it misled consumers about the disclosure of their health data. https://www.ftc.gov/news-events/news/press-releases/2021/01/developer-popular-womens-fertility-tracking-app-settles-ftc-allegations-it-misled-consumers-about; https://www.ftc.gov/system/files/documents/cases/flo_health_order.pdf.

[iii]FTC Press Release (2023, March 3), FTC to Ban BetterHelp from Revealing Consumers’ Data, Including Sensitive Mental Health Information, to Facebook and Others for Targeted Advertising. https://www.ftc.gov/news-events/news/press-releases/2023/03/ftc-ban-betterhelp-revealing-consumers-data-including-sensitive-mental-health-information-facebook

[iv] 16 CFR. § 318; FTC Business Blog (2023, February 1), First FTC Health Breach Notification Rule case addresses GoodRx’s not-so-good privacy practices. https://www.ftc.gov/business-guidance/blog

[v] FTC Business Blog (2023, May 17), FTC says Premom shared users’ highly sensitive reproductive health data: Can it get more sensitive than that? https://www.ftc.gov/business-guidance/blog/2023/05/ftc-says-premom-shared-users-highly-sensitive-reproductive-health-data-can-it-get-more-personal

[vi] The Rule implements the requirements of the American Recovery & Reinvestment Act of 2009, Pub. L. No. 111-5, 123 Stat. 115, codified at 42 U.S.C. § 17937; see FTC Health Breach Notification Rule summary, https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule & Complying with FTC’s Health Breach Notification Rule, https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0.

[vii] FTC (2021, September 15). Statement of the Commission on breaches by health apps and other connected devices. https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf

[viii] 16 CFR. § 318.3. Vendors of PHRs must notify the media if the breach affects (or is reasonably believed to affect) more than 500 individuals. Id. at § 318.5(b).

[ix] Id. at § 318.2(d).

[x] Id. at § 318.2(j).

[xi] Id. at § 318.2(e).

[xii] Id. at § 318.2(a).

[xiii] Health Breach Notification, Request for Public Comment, 85 Fed. Reg. 31085 (May 22, 2020).

[xiv] Id.; see also Wilson, C. (2021, Sept. 15) Dissenting statement of Commissioner Christine S. Wilson Policy statement on breaches by health apps and other connected devices. https://www.ftc.gov/system/files/documents/public_statements/1596356/wilson_health_apps_policy_statement_dissent_combined_final.pdf

[xv] FTC (2021, September 15). Statement of the Commission on breaches by health apps and other connected devices. https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf

[xvi] The combined statutory definitions of “vendor of personal health records,” “personal health record” and “individually identifiable health information” provide that a PHR vendor subject to the statute is a “health care provider, health plan, employer, or health care clearinghouse.”

[xvii] Id.

[xviii] Wilson, C. (2021, Sept. 15) Dissenting statement of Commissioner Christine S. Wilson Policy statement on breaches by health apps and other connected devices. https://www.ftc.gov/system/files/documents/public_statements/1596356/wilson_health_apps_policy_statement_dissent_combined_final.pdf; Phillips, N.J. (2021, Sept. 15) Dissenting statement of Commissioner Noah Joshua Phillips regarding the policy statement on breaches by health apps and other connected devices. https://www.ftc.gov/system/files/documents/public_statements/1596328/hbnr_dissent_final_formatted.pdf

[xix] FTC Business Blog (2023, February 1), First FTC Health Breach Notification Rule case addresses GoodRx’s not-so-good privacy practices. https://www.ftc.gov/business-guidance/blog

[xx] Id.

[xxi] FTC Press Release (2023, May 17), Ovulation tracking app Premom will be barred from sharing health data for advertising under proposed FTC order. https://www.ftc.gov/news-events/news/press-releases/2023/05/ovulation-tracking-app-premom-will-be-barred-sharing-health-data-advertising-under-proposed-ftc

[xxii] FTC Press Release (2023, May 18), FTC Proposes Amendments to Strengthen and Modernize the Health Breach Notification Rule. https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-proposes-amendments-strengthen-modernize-health-breach-notification-ruleficnbkvhernjgiddiuhhclrrrjjnuvjuduhdlvhnhttjicdjiubhjfutdiknnnke