Part Two of a Two-Part Series: Unprecedented FTC Enforcement of the Health Breach Notification Rule

By: Jeanne E. Varner Powell, The Risk Team, Mutual Insurance Company of AZ (MICA)

Part One of this series provided an overview of online tracking technologies, and summarized guidance provided in December, 2022, by the Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) for HIPAA covered entities addressing privacy concerns stemming from the use of online tracking technologies.

This segment will discuss enforcement by the Federal Trade Commission (“FTC”) of the Health Breach Notification Rule related to tracking technologies.

FTC Developments: The Health Breach Notification Rule – Uncertainty Ahead?

HIPAA covered entities are not the only ones that need to be aware of increasing regulatory scrutiny related to online tracking technology. The FTC is ramping up enforcement activity in this area against entities not subject to HIPPA.  Since 2021, the FTC has settled four significant cases involving alleged improper sharing of consumer health information with advertising platforms like Facebook and Google.[i]

In 2021, the FTC settled unfair and deceptive trade practices claims against FloHealth, the developer of the Flo Period & Ovulation Tracker app. The settlement resolved allegations that FloHealth utilized tracking technologies to share consumers’ sensitive health information with third parties for marketing and advertising purposes.[ii] On March 2, 2023, the FTC announced a proposed settlement of similar claims against BetterHelp[iii], an online mental health treatment company. Similar cases could be on the horizon.

Of particular significance, on February 1, 2023, the FTC announced resolution of its first-ever Health Breach Notification Rule (“HBNR”) action.[iv] The Respondent in that case was GoodRx, a digital health platform offering consumers prescription drug discounts and telehealth services. Just a few months later, on May 17, 2023, the FTC settled a second case involving HBNR claims, this time against Easy Healthcare, developer of the Premom Ovulation Tracking App.[v] Allegations from both cases are discussed in more detail below.

The HBNR was enacted in 2009, but until now it essentially sat idle. The Rule applies to certain non-HIPAA covered entities and imposes reporting requirements when there is a breach of individually identifiable health information.[vi] In 2021, the FTC significantly expanded its interpretation of what entities the HBNR covers and what constitutes a breach that triggers reporting requirements.[vii] Organizations not covered by HIPAA that collect consumer health data (or entities that do business with such organizations) should heed recent FTC activity as a sign to stay abreast of FTC communications about the HBNR and work closely with legal counsel to develop a compliance strategy.

Important HBNR Statutory Terms

To understand the significance of recent FTC actions involving the HBNR, knowledge of some of the statutory terms and definitions is essential.

  • The Rule applies to “vendors of personal health records” (PHRs), a “PHR related entity” or a “third-party service provider for a vendor of PHRs or a PHR related entity.” It requires notification of individuals and the FTC following discovery of a “breach of security” of unsecured identifiable health information contained in a PHR maintained or offered by a vendor or related entity. Third-party service providers that discover such a breach are required to notify the vendor or related entity.[viii]
  • A “personal health record” is “an electronic record of PHR identifiable information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.”[ix]
  • A “vendor of personal health records” is “an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that offers or maintains a PHR.” [x]
  • “PHR identifiable health information” is “individually identifiable health information, as defined in section 1171(6) of the Social Security Act (42 U.S.C. sec 1320d(6)), and, with respect to an individual, information that:
  • Is provided by or on behalf of the individual; and
  • That identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.”[xi]
  • Under the Social Security Act definition, “individually identifiable health information” means any information, including demographic information collected from an individual that:
  • is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
  • relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and
  • identifies the individual; or
  • with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
  • “Breach of security” means “with respect to unsecured PHR identifiable health information of an individual in a PHR, acquisition of such information without the authorization of the individual.”[xii]

History Behind GoodRx and Premom – Statement of the Commission on Breaches by Health Apps and Other Connected Devices

In 2020, with more consumers utilizing apps and other technology to stay on top of their health, the FTC recognized that “more companies may be covered by the FTC’s Rule.”[xiii] Accordingly, it initiated rulemaking proceedings and sought public input about potential modifications to the Rule’s definitions and scope. For example, it asked whether it should change the definitions of “PHR related entity,” “third-party service provider,” and “vendor of PHRs”. It also asked, “What are the implications (if any) for enforcement of the Rule raised by direct-to-consumer technologies and services such as mobile health apps, virtual assistants, and platforms’ health tools?”[xiv]

In September 2021, with the rulemaking process still ongoing, the FTC reversed course and published the Statement of the Commission on Breaches by Health Apps and Other Connected Devices[xv] (the “Statement”). The Statement announced for the first time, that the FTC would enforce the HBNR against health app and connected device developers as “health care providers”[xvi] and that it would interpret “breach” to include not just cyberattacks but also sharing of identifying health information without consumer authorization.[xvii] Two commissioners wrote dissents. Both criticized the Commission for publishing the statement without first concluding the ongoing rulemaking process that sought input on these very issues. In addition, they faulted the other commissioners for significantly expanding the Rule in conflict with statutory language, congressional intent, and the Commission’s previously published business guidance.[xviii]

The GoodRx Case

In the GoodRx case, the FTC charged that GoodRx engaged in unfair and deceptive practices in violation of the Health Breach Notification Rule and Section 5 of the FTC Act. [xix] The allegations in the Complaint tracked the FTC’s expanded interpretation of the HBNR as set forth in the Statement. For example, the FTC alleged that the unauthorized disclosures of consumers’ unsecured PHR identifiable health information to Facebook and Google via web trackers constituted a “security breach.” In support of its claim that GoodRx was a “vendor of PHRs,” the FTC alleged as follows:

  • The website and mobile apps are electronic records of PHR identifiable information that are capable of drawing information from multiple sources, including:
    • inputs from users;
    • Medication Purchase Data, pricing, and refill information from Pharmacy Benefit Managers;
    • pharmacy information from pharmacies;
    • information about prescribed medications from healthcare professionals (such as the name of a medication prescribed during a telehealth session); and
    • users’ geographic location information from a third-party vendor that approximates geolocation based on IP address.
  • The information is also managed, shared, or controlled by or primarily for the users. GoodRx lets users keep track of their personal health information, including to save, track, and receive alerts about their prescriptions, refills, pricing, and medication purchase history.

In addition, the FTC alleged that GoodRx broke numerous data privacy promises it made to customers including: 

  • Promised users it would never share health information with advertisers or other third parties, yet used various tracking technologies to send sensitive information like users’ medications and health conditions to companies like Facebook and Google for the purpose of targeted advertising campaigns;
  • Promised users that it would only disclose their personal health information for limited purposes, then shared users’ names, addresses, email addresses, phone numbers, and other personal identifiers with advertising platforms; and
  • Promised consumers it would limit how third parties that received the information could use the information yet failed to do so.

Per the settlement, GoodRx will pay a $1.5 million penalty and be banned from sharing user health information with third parties for advertising purposes. In addition, GoodRx will need to obtain affirmative express consent from users before disclosing health information to third parties for purposes other than advertising, require third parties to delete data shared with third parties, restrict its data retention periods, and implement a comprehensive privacy program.[xx]

The Premom Case

According to the FTC’s Complaint, hundreds of thousands of women have input sensitive health information into the Premom app, including period dates and pictures of ovulation test strips the app uses for predicting the next ovulation cycle. Like GoodRx, in Premom the FTC claimed the app’s developer made promises it didn’t keep concerning collection and sharing of this “identifiable health information.” The Complaint alleged violations of both the FTC Act and the HBNR.

To support its claim that the app developer is a “vendor of personal health records,” the FTC alleged:

  • Premom encourages users to upload ovulation tests and large amounts of information to the app;
  • Premom encourages users to connect other apps and products to Premom and permit Premom to import health information from them; and
  • Premom allows users to manage and control the PHR identifiable health information in the app and track their ovulation, menstruation, and other health information.

The FTC further asserted that Premom transferred unsecured PHR identifiable health information to third parties like Google and AppsFlyer without users’ authorization. According to the Complaint, these “breaches of security” occurred for years and Premom failed to make breach notifications required by the HBNR.

Under the terms of the settlement, Easy Healthcare (Premom’s owner and developer) will pay a $100,000 civil penalty and:

  • Retain users’ personal information only as long as necessary to fulfill the purpose for which it was collected;
  • Will not make misrepresentations about its privacy practices;
  • Comply with HBNR notification requirements for any future breach of security;
  • Seek deletion of data it shared with third parties;
  • Notify consumers of the FTC’s allegations and the settlement; and
  • Implement comprehensive security and privacy programs with strong safeguards to protect consumer data.

In addition, in a related case, Easy Healthcare will pay $100,000 combined to Connecticut, D.C., and Oregon for violations of their laws.[xxi]

Proposed Amendments to HBNR

The day after the Premom settlement announcement, the FTC voted unanimously to issue a Notice of Proposed Rulemaking to amend the HBNR.[xxii] The proposed amendments were filed in the Federal Register on June 9 and comments will be accepted until August 8, 2023. Briefly, some of the proposed changes include:

  • Clarify the scope of the rule – Current definitions would be revised, and new definitions added, to clarify the FTC’s position that mobile health apps and similar technologies not subject to HIPAA are covered by the HBNR. With these changes, the FTC hopes to make clear that the HBNR applies generally to online platforms (“…including websites, apps, and Internet-connected devices…” providing health care services or supplies) and that it covers both medical and wellness services.
  • “PHR related entity” definition changes – Revise the definition to clarify that only entities that access or send unsecured PHR identifiable health information to a personal health record (not those that send ANY information) qualify as PHR related entities.
  • Require consumer authorization for sharing – Health apps would need to obtain consumers’ authorization to share their information with third parties and would be mandated to notify consumers in the event information is accessed without such authorization.
  • “Breach of security” definition changes – This definition would be modified to align with the position the FTC took in GoodRx and Premom. It would include unauthorized disclosures to third parties as well as data security breaches, hacking, and other cyber incidents.
  • Expand breach notice and content requirements – Email and other electronic methods could be used to send breach notifications to consumers. Breach notices would need to contain additional information, such as names of third parties who may have accessed information.
  • Penalties – add a new section to the rule that states the penalties (up to $50,120 per violation per day) for non-compliance.

 For more detail, read the Proposed Amendments in full.

FTC publications

For more information on the FTC’s current interpretation of the HBNR, HBNR compliance, and other FTC enforcement activity, consult the following publications:


[i] FTC Press Release (2021, January 13), Developer of popular women’s fertility-tracking app settles FTC allegations that it misled consumers about the disclosure of their health data. https://www.ftc.gov/news-events/news/press-releases/2021/01/developer-popular-womens-fertility-tracking-app-settles-ftc-allegations-it-misled-consumers-about; FTC Business Blog (2023, February 1), First FTC Health Breach Notification Rule case addresses GoodRx’s not-so-good privacy practices. https://www.ftc.gov/business-guidance/blog; FTC Business Blog (2023, March 3), FTC says online counseling service BetterHelp pushed people into handing over health information – and broke its privacy promises. https://www.ftc.gov/business-guidance/blog/2023/03/ftc-says-online-counseling-service-betterhelp-pushed-people-handing-over-health-information-broke; FTC Press Release (2023, May 17), Ovulation tracking app Premom will be barred from sharing health data for advertising under proposed FTC order.https://www.ftc.gov/news-events/news/press-releases/2023/05/ovulation-tracking-app-premom-will-be-barred-sharing-health-data-advertising-under-proposed-ftc

[ii] FTC Press Release (2021, January 13), Developer of popular women’s fertility-tracking app settles FTC allegations that it misled consumers about the disclosure of their health data. https://www.ftc.gov/news-events/news/press-releases/2021/01/developer-popular-womens-fertility-tracking-app-settles-ftc-allegations-it-misled-consumers-about; https://www.ftc.gov/system/files/documents/cases/flo_health_order.pdf.

[iii]FTC Press Release (2023, March 3), FTC to Ban BetterHelp from Revealing Consumers’ Data, Including Sensitive Mental Health Information, to Facebook and Others for Targeted Advertising. https://www.ftc.gov/news-events/news/press-releases/2023/03/ftc-ban-betterhelp-revealing-consumers-data-including-sensitive-mental-health-information-facebook

[iv] 16 CFR. § 318; FTC Business Blog (2023, February 1), First FTC Health Breach Notification Rule case addresses GoodRx’s not-so-good privacy practices. https://www.ftc.gov/business-guidance/blog

[v] FTC Business Blog (2023, May 17), FTC says Premom shared users’ highly sensitive reproductive health data: Can it get more sensitive than that? https://www.ftc.gov/business-guidance/blog/2023/05/ftc-says-premom-shared-users-highly-sensitive-reproductive-health-data-can-it-get-more-personal

[vi] The Rule implements the requirements of the American Recovery & Reinvestment Act of 2009, Pub. L. No. 111-5, 123 Stat. 115, codified at 42 U.S.C. § 17937; see FTC Health Breach Notification Rule summary, https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule & Complying with FTC’s Health Breach Notification Rule, https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0.

[vii] FTC (2021, September 15). Statement of the Commission on breaches by health apps and other connected devices. https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf

[viii] 16 CFR. § 318.3. Vendors of PHRs must notify the media if the breach affects (or is reasonably believed to affect) more than 500 individuals. Id. at § 318.5(b).

[ix] Id. at § 318.2(d).

[x] Id. at § 318.2(j).

[xi] Id. at § 318.2(e).

[xii] Id. at § 318.2(a).

[xiii] Health Breach Notification, Request for Public Comment, 85 Fed. Reg. 31085 (May 22, 2020).

[xiv] Id.; see also Wilson, C. (2021, Sept. 15) Dissenting statement of Commissioner Christine S. Wilson Policy statement on breaches by health apps and other connected devices. https://www.ftc.gov/system/files/documents/public_statements/1596356/wilson_health_apps_policy_statement_dissent_combined_final.pdf

[xv] FTC (2021, September 15). Statement of the Commission on breaches by health apps and other connected devices. https://www.ftc.gov/system/files/documents/public_statements/1596364/statement_of_the_commission_on_breaches_by_health_apps_and_other_connected_devices.pdf

[xvi] The combined statutory definitions of “vendor of personal health records,” “personal health record” and “individually identifiable health information” provide that a PHR vendor subject to the statute is a “health care provider, health plan, employer, or health care clearinghouse.”

[xvii] Id.

[xviii] Wilson, C. (2021, Sept. 15) Dissenting statement of Commissioner Christine S. Wilson Policy statement on breaches by health apps and other connected devices. https://www.ftc.gov/system/files/documents/public_statements/1596356/wilson_health_apps_policy_statement_dissent_combined_final.pdf; Phillips, N.J. (2021, Sept. 15) Dissenting statement of Commissioner Noah Joshua Phillips regarding the policy statement on breaches by health apps and other connected devices. https://www.ftc.gov/system/files/documents/public_statements/1596328/hbnr_dissent_final_formatted.pdf

[xix] FTC Business Blog (2023, February 1), First FTC Health Breach Notification Rule case addresses GoodRx’s not-so-good privacy practices. https://www.ftc.gov/business-guidance/blog

[xx] Id.

[xxi] FTC Press Release (2023, May 17), Ovulation tracking app Premom will be barred from sharing health data for advertising under proposed FTC order. https://www.ftc.gov/news-events/news/press-releases/2023/05/ovulation-tracking-app-premom-will-be-barred-sharing-health-data-advertising-under-proposed-ftc

[xxii] FTC Press Release (2023, May 18), FTC Proposes Amendments to Strengthen and Modernize the Health Breach Notification Rule. https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-proposes-amendments-strengthen-modernize-health-breach-notification-ruleficnbkvhernjgiddiuhhclrrrjjnuvjuduhdlvhnhttjicdjiubhjfutdiknnnke        

By: Rubi Bujanda – Gammage & Burnham, PLC

The Pregnant Workers Fairness Act (PWFA) went into effect this past Tuesday, June 27, 2023. 

The PWFA requires employers with 15 or more employees to provide reasonable accommodations to employees and applicants with known limitations related to pregnancy, childbirth, or a related medical condition. Modeled after the Americans with Disabilities Act (ADA), the PWFA uses the same definition of reasonable accommodation and does not require that employers provide accommodations that cause an undue hardship. Like with the ADA, covered employers must participate in the interactive process if they receive an accommodation request from a pregnant worker. The PWFA also contains prohibitions. Employers may not do the following:

  • Require an employee to accept an accommodation without a discussion about the accommodation between the worker and the employer;
  • Deny a job or other employment opportunity to a qualified employee or applicant based on the person’s need for a reasonable accommodation;
  • Require an employee to take leave if another reasonable accommodation can be provided that would allow the employee to continue working;
  • Retaliate against an individual for reporting or opposing unlawful discrimination under the PWFA or participating in an PWFA proceeding; or
  • Interfere with any individual’s rights under the PWFA.

To recover for a violation of the PWFA, an employee must first exhaust administrative remedies by filing a charge with the EEOC. The EEOC started accepting charges under the PWFA on Tuesday, June 27, 2023. For the PWFA to apply, the situation complained about in the charge must have happened on June 27, 2023, or later (although employees can still pursue charges based on Title VII and/or ADA for conduct prior to June 27, 2023).

Next Steps for Employers

  • Remove your old EEOC “Know Your Rights” posters and replace them with the updated version available here: https://www.eeoc.gov/poster.
  • Review your employee handbook and revise accommodations policies to include reasonable accommodations for workers who have known limitations related to pregnancy, childbirth, or related medical conditions.
  • Train managers to recognize situations in which the PWFA applies and consider what reasonable accommodations may be available in the workplace.

By: Nicholas H. Meza, J.D., M.P.H., Richard Davis, J.D., Theresa DeAngelis, J.D.

On Friday April 21, 2023, the United States Supreme Court granted the application filed by the Food and Drug Administration (“FDA”) and Danco Laboratories, LLC[1] to stay the lower court’s decision in the high-profile mifepristone litigation. The lower court’s decision reversed the FDA’s original approval of mifepristone (issued in 2000) and has created serious obstacles for all entities and individuals involved in the mifepristone distribution supply chain. The Supreme Court’s decision temporarily ensures nationwide access to mifepristone while the merits of the lawsuit are litigated in the Fifth Circuit Court of Appeals. The Fifth Circuit heard oral arguments related to this litigation on May 17th, 2023, and generally expressed sympathy for the parties seeking to limit the sale of mifepristone.

This article provides a summary of mifepristone regulation, the mifepristone litigation, and concludes with implications for entities involved in the manufacture, sale, and dispensation of mifepristone.

I. Background on Mifepristone Regulation

Over 20 years ago, in 2000, the FDA approved mifepristone. The drug blocks the progesterone hormone needed for a pregnancy to continue and is used with misoprostol to end pregnancies through ten weeks gestation. Mifepristone was initially approved under “Subpart H” regulations implemented under the Federal Food Drug and Cosmetic Act (“FFDCA”) to expedite the approval of “new drug products that have been studied for their safety and effectiveness in treating serious or life-threatening illnesses.”[2]

FDA imposed “restrictions to assure safe use” including an in-person dispensing requirement and permitted the drug to be distributed only to prescribers who agreed to dispense it in certain healthcare settings, by or under the supervision of a qualified physician who attested to the ability to accurately date pregnancies and diagnose ectopic pregnancies. Specifically, the restrictions required that mifepristone be used for pregnancies under 50 days gestation, in connection with three in-person office visits,[3] with supervision of a qualified physician, and where all adverse events would be reported. Today, these types of restrictions in connection with FDA drug approval are referred to as Risk Evaluation and Mitigation Strategy (“REMS”).[4]

In 2016, the FDA updated the drug label for mifepristone, expanding use through ten weeks of pregnancy. The FDA also made major changes to mifepristone’s REMS, including: (1) increasing the maximum gestational age at which a woman can use the drug from 49 to 70 days; (2) reducing the number of required in-person office visits from three to one; (3) allowing non-doctors to prescribe and administer the chemical abortions drugs; and (4) eliminating the requirement for prescribers to report non-fatal adverse events from chemical abortion.[5] In 2021, FDA announced “enforcement discretion” to allow mifepristone to be dispensed through the mail during COVID-19. Finally, on January 3, 2023, FDA approved a modified REMS, permanently lifting the in-person dispensing requirement.[6]

II. Mifepristone Litigation

In November of last year, several months after the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization,[7] a coalition of doctors and medical associations filed a lawsuit in the United States District Court for the Northern District of Texas to, inter alia, vacate the FDA’s approval of mifepristone, FDA’s 2016 REMS changes, and the 2021 mail order decision.[8]

In essence, plaintiffs argued that the FDA’s approval and subsequent administrative actions with respect to the drug violated the federal Administrative Procedure Act. Plaintiffs argued that: (1) to approve the drug, FDA improperly relied on Subpart H’s accelerated approval because pregnancy is not a life-threatening illness; (2) FDA improperly ignored scientific evidence in approving and setting distribution controls for the drug; and (3) the Comstock Act, an 1873 obscenity law, prohibits the mailing of any medication used for abortion.[9]

In response, the FDA argued, inter alia, that it properly exercised its authority under the FFDCA and applied its scientific expertise when approving and making determinations about mifepristone and that the Comstock Act is inapplicable when the sender of the product intends the product to be used lawfully.

Deciding on plaintiffs’ and FDA’s arguments, on April 7, 2023, Judge Matthew Kacsmaryk issued a preliminary injunction, staying the FDA’s 23- year-old approval of mifepristone.   In his ruling, Judge Kacsmaryk found that a preliminary injunction was appropriate due to the “substantial threat of irreparable harm” arising both from claims that the use of mifepristone is dangerous and that the FDA did not appropriately follow its approval processes in approving mifepristone—notwithstanding that FDA has repeatedly said that the use of mifepristone is safe, effective, and that any adverse effects are a “rarity.”   

Within the hour of this ruling, Washington federal court judge Thomas O. Rice issued an order in a similar case,[10] which directly contradicted the Texas ruling. Essentially, the Washington ruling ordered the FDA to make no changes regarding the availability of mifepristone in 17 states and the District of Columbia which expressly permit the drug’s use for medication abortions.

Mifepristone’s legality was immediately thrown into question in light of the conflicting rulings. The FDA immediately appealed the Texas District Court’s decision to the Fifth Circuit.  The Fifth Circuit stayed the district court’s suspension of FDA’s original approval of mifepristone. But it would not stay the suspension of subsequent updates to the conditions on the drug’s use, which have governed the drug’s distribution for seven years. In effect, the Fifth Circuit’s order permitted mifepristone to remain on the market, but simultaneously made it illegal to send the drug across state lines by eliminating the effective date of the 2016 Major REMS Changes.

The FDA and Danco Laboratories petitioned the Supreme Court for an emergency stay of the district court’s order pending the appeal of the case. The Supreme Court granted the stay of the lower court’s ruling in a short opinion order[11] and sent the case back to the Fifth Circuit for the Fifth Circuit to consider the case on its merits. Thus, the Supreme Court granted the stay of the April 7, 2023 order of the United States District Court of the Northern District of Texas pending the disposition of the appeal in the United States Court of Appeals for the Fifth Circuit and a disposition for a writ of certiorari to the Supreme Court, if such a writ is timely sought. Should the Supreme Court deny certiorari, the stay will terminate automatically. If the Supreme Court grants certiorari, the stay shall terminate upon the Supreme Court’s judgment.

In contrast to the brevity of the majority’s opinion order, Justice Alito wrote a lengthier dissent, finding Danco had not shown that they were “likely to suffer irreparable harm,” in the “presumably short period at issue” where Danco argued primarily that it could not continue to market mifepristone because the drug would be mislabeled, and that distribution could not resume until Danco satisfied certain regulatory requirements. However, according to Justice Alito, this “would not take place, … unless the FDA elected to use its enforcement discretion to stop Danco, and the applicants’ papers do not provide any reason to believe the FDA would make that choice.” Justice Alito cited that the FDA had previously invoked its enforcement discretion to permit the distribution of mifepristone in a way that the regulations then in force prohibited.

As a result of the stay, mifepristone will be available in interstate commerce at least until the Fifth Circuit ruling , which will likely end up before the Supreme Court again.

Most recently, the three-judge panel of the Fifth Circuit heard approximately two hours of oral arguments on May 17th, 2023, including whether plaintiffs could be found to have legal standing by showing they would suffer a real injury if approval of and access to mifepristone remains the same. FDA argued that the plaintiffs waited over two decades after mifepristone’s approval to bring their case. The panel expressed criticism of FDA and sympathy for the plaintiffs generally.

III. Implications

A Fifth Circuit ruling in favor of the plaintiffs would have sweeping effects beyond starkly curtailing or potentially eliminating the availability of mifepristone. Notwithstanding the potential prohibition of patients across the country to access mifepristone, as described by pharmaceutical industry stakeholders in an amicus brief filed with the Supreme Court, “If allowed to take effect, the district court’s decision will result in a seismic shift in the clinical development and drug approval processes, erecting unnecessary and unscientific barriers to the approval of lifesaving medicines, chilling drug development and investment, threatening patient access, and destabilizing the pharmaceutical industry.”[12] Such a ruling would constitute a radical departure from court deference that is given to the scientific and medical judgment of the FDA — the regulatory agency with scientific expertise designated by Congress as the sole regulator of drugs.

This dramatic departure from traditional deference to the FDA ostensibly means that a court can “undo” FDA approval for a drug it “doesn’t like.” For example, the precedent set by such a decision could result in a court undoing the approval of gender affirming drugs/puberty blockers, which are currently being targeted at the state level in the same manner in which abortion-inducing drugs are being targeted.

Pharmaceutical manufacturers could also invoke such a decision as a weapon to challenge FDA approval of competitor drugs. In these ways, the FDA approval process—and medications which are relied on by patients—could be taken off the market due to one judge’s opinion.

Also at issue is whether the Fifth Circuit will apply the Comstock Act to prohibit the mailing of any abortion-inducing drug in the United States. In some respects, such a ruling would provide clarity regarding the legality (or illegality) of interstate dispensing mifepristone, something that mail-order pharmacies and wholesale distributors struggled to monitor as a patchwork of states implement medication abortion bans. On the other hand, should the court rule in favor of the FDA, pharmacies, wholesale distributors and providers will need to continue to monitor state-specific bans and, perhaps, future challenges to such bans as a basis of federal preemption.

Ultimately, the Fifth Circuit has espoused its openness to such a ruling but it remains to be seen whether the Supreme Court would grant certiorari and how the Supreme Court would treat such a ruling. Stakeholders and the public are only left to wait.


[1] Danco Laboratories, LLC is the manufacturer which holds the approved New Drug Application for Mifeprex (mifepristone) Tablets.

[2] 21 CFR § 314.500 et seq.

[3] The first two visits to administer mifepristone and the third to assess any complications and ensure there were no fetal remains in the womb. Specifically, requirements included in-person dispensing by or under the supervision of a qualified physician, dispensing of misoprostol at the provider’s office or clinic, and a follow up visit 14 days later. See generally, https://www.fda.gov/drugs/postmarket-drug-safety-information-patients-and-providers/information-about-mifepristone-medical-termination-pregnancy-through-ten-weeks-gestation

[4] In 2007, the FFDCA was amended to authorize the FDA to require a REMS for a drug if the FDA deems it is necessary to ensure that the drug’s benefits outweigh its risks.

[5] After the generic version of mifepristone was approved in 2019, one unified REMS was issued for both generic and brand name versions.

[6] Also, in January of 2023, the FDA modified the REMS to provide a process for pharmacies to become certified by the manufacturer of the drug to dispense mifepristone. 

[7] 142 S. Ct. 2228 (2022), available at, https://www.supremecourt.gov/opinions/21pdf/19-1392_6j37.pdf

[8] Alliance for Hippocratic Medicine et al. v. U.S. Food and Drug Administration et al., No. 2:22-cv-223 (N.D. Tex. filed Nov.18, 2022).

[9] As a practical matter, the mifepristone litigation as described above applies solely to FDA approval related to brand and generic versions of mifepristone, which are FDA-approved for purposes of inducing a medication abortion. The litigation does not challenge the FDA approvals for other drugs containing mifepristone, such as Korlym, a drug used to treat Cushing’s syndrome.

[10] Washington et al. v. United States Food and Drug Administration et al., No. 1:23-cv-03026 (E.D. Wash. filed Feb. 23, 2023).

[11] Danco Lab’ys, LLC v. All. for Hippocratic Med., 143 S. Ct. 1075 (2023).

[12] See Pharmaceutical Companies et al., Amicus Brief, available at, https://www.supremecourt.gov/DocketPDF/22/22A902/263624/20230414164838799_2023-04-14%20SCOTUS%20Amicus%20Brief%20FINALa.pdf

By: Melissa A. Soliz and Benjamin Yeager, Coppersmith Brockelman PLC 

Introduction

During the worst days of the COVID-19 pandemic, the Trump Administration signed into law the Coronavirus Aid, Relief, and Economic Security Act of 2020 (the CARES Act).[1] Amongst its many provisions was a promise in Section 3221 to align the stringent privacy protections for substance use disorder (SUD) records in 42 U.S.C. § 290dd-2 and 42 C.F.R. Part 2 (collectively, “Part 2”) with HIPAA.[2]  

Congress directed the Secretary of the Department of Health and Human Services (HHS) to make necessary revisions to the Part 2 regulations to implement and enforce the CARES Act amendments by March 27, 2021. That date came and went, with directions from HHS that the Part 2 statutory changes would be delayed until the finalization of new regulations.[3] On December 2, 2022, HHS published its Notice of Proposed Rule Making (NPRM) to revise the Part 2 regulations to implement the CARES Act amendments.[4]

If finalized as proposed, HHS may at long last accomplish its goal of significantly aligning Part 2 with HIPAA as it applies to individuals and organizations that are HIPAA covered entities or business associates. It will also provide investigative agencies with certain liability protections regarding their management of Part 2 records. HHS proposes to require substantial compliance with the new requirements within 24 months after publication of a final rule. Additionally, for the proposed Part 2 Accounting Requirements, HHS proposes to toll the compliance date until the effective date of a final rule on the HIPAA accounting of disclosures standard, see 45 CFR 164.528

This blog post puts the NPRM in context and breaks down its key components to provide health care providers, health plans and their business associates with the basic information they need to understand the proposed changes to the Part 2 regulations. Comments on the NPRM are due no later than January 31, 2023 and can be submitted electronically at http://www.regulations.gov by searching for the Docket ID number HHS-OCR-0945-AA16.

Brief Historical Background

Part 2’s privacy protections for SUD records predated HIPAA by nearly thirty years. In 1970 and 1972, Congress passed the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act[5] and the Drug Abuse Prevention, Treatment, and Rehabilitation Act of 1972.[6] At the time these laws were passed, there was no comprehensive federal law to protect the privacy of health information. To encourage individuals suffering from SUDs to seek treatment without the fear of stigma and retaliation, Congress passed these laws to stringently protect the privacy of these individuals. Congress sought to do that by making treatment of these individuals invisible to everyone, unless the individual specifically consented to the disclosure of their SUD records. 

These laws were followed by implementing regulations in 1975,[7] which were subsequently amended in 1987.[8] Part 2 remained relatively unchanged for nearly three decades after that. In the meantime, the health care industry underwent massive changes with the passage of HIPAA and implementation of the HIPAA regulations to provide nationwide protection for all protected health information, the shift to electronic medical records and interoperability mandates, the need for integrated care and integrated delivery models, and the rise of the opioid epidemic, which swelled the ranks of those suffering from SUDs to include neighbors, co-workers, family members and friends. The Part 2 privacy barriers erected during the 20th century with the intent of encouraging effective SUD treatment and reducing stigma and discrimination, were having the unintended effect in the 21st century of achieving precisely the opposite result.  

In 2017, 2018 and 2020, the Substance Abuse and Mental Health Services Administration (SAMHSA) made valiant efforts to chip away at the Part 2 barriers to SUD data sharing, care coordination, and research.[9] However, there was only so much that the agency could accomplish within its regulatory authority and without a statutory change to 42 U.SC. § 290dd-2.

That statutory change came with the passage of the CARES Act. On March 27, 2020, Congress passed the CARES Act[10] to provide emergency assistance to individuals, families, and businesses affected by the COVID-19 pandemic. Section 3221 of the CARES Act—Confidentiality and Disclosure of Records Relating to Substance Use Disorder—substantially amended 42 U.S.C. § 290dd-2 to more closely align the Part 2 privacy standards with HIPAA’s privacy standards, breach notification requirements, and enforcement authority. Congress further directed HHS to revise the Part 2 regulations to implement these statutory amendments. On December 2, 2022, HHS published the NPRM to solicit public comment on its proposal to implement this great alignment of the SUD privacy law with HIPAA. 

Summary of Material Changes and Significance for Stakeholders

Enforcement, Penalties and Breach Reporting

HHS’ proposed changes to the Part 2 enforcement structure, penalties and breach reporting requirements are among the most significant revisions to the Part 2 regulations. 

Under the current Part 2 regulations, the Department of Justice (DOJ) is tasked with enforcing Part 2 violations with criminal penalties.[11] According to the NPRM, DOJ has not undertaken any criminal action to enforce Part 2 as of June 2018. [12] And unlike HIPAA, Part 2 has no breach notification rules that would require a Part 2 program to report the unauthorized use or disclosure of unsecured Part 2 records to individuals, regulators or any other third parties.

The NPRM, if finalized, would radically change the enforcement and breach reporting structure, as required by the CARES Act amendments. First, the NPRM would shift enforcement authority to HHS to enforce Part 2 under the same civil and criminal enforcement structure used for HIPAA.[13] For example, HHS could impose civil penalties against any person for Part 2 violations ranging from $100 to $50,000 per violation with an annual cap of $25,000 to $1.5 million (not adjusted for inflation), depending on the level of intent involved.[14] However, the NPRM also proposes to limit civil and criminal liability for “investigative agencies,” provided that the agency (or investigator) acts with reasonable diligence and satisfies certain conditions.[15] HHS proposes to define an “investigative agency” as “a state or federal administrative, regulatory, supervisory, investigative, law enforcement, or prosecutorial agency having jurisdiction over the activities of a part 2 program or other person holding part 2 records.”[16] This liability protection only extends to investigations of a Part 2 program or other lawful holders of the Part 2 record (not a patient).[17] HHS seeks comment on whether this liability protection should be extended to others. 

Second, HHS proposes to apply the HIPAA breach notification standards to Part 2 programs with respect to breaches of unsecured Part 2 records.[18] This means that a Part 2 program—regardless of whether the Part 2 program is also a HIPAA covered entity—would need to notify affected individuals, HHS, and media outlets (if the breach involves more than 500 residents of a given state or jurisdiction) in the event of breach of unsecured records.[19] The NPRM would also hold Part 2 programs and other lawful holders of Part 2 records responsible for meeting the same privacy and security requirements for the protection of Part 2 records under 42 CFR 2.16, such as maintaining adequate policies and procedures to reasonably protect against unauthorized uses and disclosures.[20]

If finalized, stakeholders should expect significantly more enforcement of the Part 2 regulations within 24 months after the effective date of the final rule.

Part 2 Applicability and Part 2 Records

Part 2 applicability refers to the type of information Part 2 protects and the types of persons and entities that are required to comply with Part 2. Part 2 protects patient identifying information that directly or indirectly identifies a patient as having (or having had) a SUD if it originates from a Part 2 program (collectively, “Part 2 information”).[21] A part 2 program is either: (1) a person or entity, including an identifiable unit within a general medical facility, that holds itself out as providing (and provides) SUD diagnosis, treatment or referral for treatment services (collectively, “SUD services”); or (2) medical personnel or other staff whose primary function is the provision of such SUD services and who are identified as a SUD provider.[22] Part 2’s disclosure restrictions also apply to other lawful holders of Part 2 information. Other lawful holders include qualified service organizations (QSOs), such as HIPAA business associates of Part 2 programs or other lawful holders of Part 2 information; third-party payers that receive Part 2 records from Part 2 programs; entities having direct administrative control over part 2 programs; and other individuals or entities who receive Part 2 records and who are notified of the prohibition on re-disclosure of those records.[23]

As discussed in greater detail below, the NPRM would make significant changes to the applicability of Part 2 to health plans and HIPAA Limited Data Sets. HHS also seeks comment on another potentially significant change to a subset of Part 2 records—SUD counseling notes. HHS further proposes to make clarifying changes throughout the Part 2 regulations that Part 2’s privacy restrictions apply to the use and disclosure (as those terms are defined by HIPAA) of Part 2 records,[24] as well as more precise use of the terms: person; patient; and individual.[25]

Health Plans

HHS is proposing to exempt health plans from compliance with the Part 2 regulations with respect to a wide swath of Part 2 information that health plans receive from Part 2 programs on a daily basis (such as claims and encounter data). 

Currently, Part 2’s downstream disclosure restrictions apply in pertinent part to: (1) “third-party payers”[26] (including health plans) that receive Part 2 information from part 2 programs; and (2) other persons that receive Part 2 records from Part 2 programs or other lawful holders, but only if those records are accompanied by the prohibition on redisclosure notice.[27] HHS proposes to change the definition of “third-party payer” to expressly exclude “health plans” (as defined by HIPAA),[28] and to clarify that the applicability provision in 42 CFR 2.12(d)(2)(i)(A) only applies to third-party payers (as defined by the amended Part 2 regulations).[29] Thus, if finalized, Part 2’s disclosure restrictions in 42 CFR 2.12(d) would only apply to health plans that receive Part 2 records that are accompanied by the prohibition on redisclosure notice. The restrictions would no longer automatically extend to Part 2 information disclosed by Part 2 programs to health plans without the notice. 

This proposed change could significantly reduce the amount of SUD information entitled to Part 2 protection given that most administrative systems and clearinghouses cannot transmit the prohibition on redisclosure notice with claims and encounter data from Part 2 programs to health plans. Moreover, the proposed changes to the Part 2 consent requirements and redisclosure permissions should permit health plans—as HIPAA covered entities—to use and redisclose the Part 2 program records they receive for any HIPAA-permitted purpose. 

HIPAA Limited Data Sets

Under the current Part 2 regulations, Part 2 arguably does not apply to HIPAA Limited Data Sets (e.g., data sets that are stripped of direct HIPAA identifiers under 45 CFR 164.514(e)(2)) that are protected against re-identification under a HIPAA Data Use Agreement (see 45 CFR 164.514(e)(4)(ii)(C)(5)). That’s because 42 CFR 2.16 recognizes that Part 2 programs and other lawful holders of Part 2 records can render the “identifying information non-identifiable in a manner that creates a very low risk of re-identification” by “removing direct identifiers.”[30]

In the NPRM, HHS proposes to align the Part 2 de-identification standard in 42 CFR 2.16 with the HIPAA Privacy Rule’s de-identification standard.[31] HIPAA requires use of an expert statistician method for de-identification or removal of all direct and indirect HIPAA identifiers.[32] If finalized as proposed, this change could have a significant impact on SUD research and quality improvement projects that are conducted with a HIPAA Limited Data Set under a HIPAA Data Use Agreement. 

SUD Counseling Notes

HHS also seeks comment on whether it should impose heightened privacy protections on a subset of Part 2 records called “SUD counseling notes.”[33] HHS proposes to define and treat “SUD counseling notes” similar to HIPAA “Psychotherapy Notes” with respect to individual access rights and third-party disclosures.[34] Specifically, HHS would define “SUD counseling notes” as “notes recorded (in any medium) by a Part 2 program provider who is a SUD or mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the patient’s record.”[35] If adopted, SUD counseling notes would require separate written consent prior to disclosure and would be exempt from an individual’s right of access.[36]

The Part 2 Notice and HIPAA Notice of Privacy Practices (NPP)

HHS proposes to change the current Part 2 summary requirements for Part 2 programs and to modify current HIPAA Notice of Privacy Practices (NPP) requirements for covered entities. 

Under the current Part 2 regulations, a Part 2 program must provide written notice to a patient—at the time the patient is admitted (or as soon as the patient has the capacity to understand his or her medical status)—that the patient’s SUD records are protected by Part 2 (the “Part 2 summary”).[37] The Part 2 summary must include: 

  • A general description of the limited circumstances under which a Part 2 program may acknowledge that an individual is present or disclose outside the Part 2 program information identifying a patient as having or having had a SUD; 
  • A statement that violation of the Part 2 regulations is a crime and that suspected violations may be reported to appropriate authorities, along with contact information; 
  • A statement that information related to a patient’s commission of a crime on the premises of the Part 2 program or against personnel of the Part 2 program is not protected; 
  • A statement that reports of suspected child abuse and neglect made under state law to appropriate state or local authorities are not protected; and 
  • A citation to the federal law and regulations.[38]

A Part 2 program that is also a HIPAA covered entity may combine the Part 2 summary with its HIPAA NPP or provide the Part 2 summary as a separate form.

A HIPAA NPP is much more robust than the Part 2 Summary.[39] For example, an NPP must include all of the following:

  • A prominently displayed header;
  • Descriptions of all the permitted and required uses and disclosures of the patient’s PHI, including if another more stringent law materially limits a HIPAA-permitted use or disclosure;
  • Separate statements for certain uses and disclosures, such as the option to opt out of fundraising communications; 
  • Statements regarding the individual’s right to request certain restrictions, the right to receive confidential communications, the right of access, the right to request an amendment to PHI, right to an accounting of certain types of disclosures, and the right to receive a paper copy of the NPP;
  • A covered entities’ duties, such as notifying individuals following a breach of unsecured PHI;
  • A statement regarding how to file complaints and non-retaliation; and
  • Other requirements, such as contact information and effective date.[40]

In the NPRM, HHS makes the following three proposals: 

  • Align the Part 2 summary requirements with relevant HIPAA NPP requirements thereby reimagining the Part 2 Summary as a more robust Part 2 Notice aka Patient Notice.[41] HHS also proposes to add language to 42 CFR 2.2, 2.4 and 2.26 to align the Part 2 complaint process[42] and patient right to request restrictions on how their Part 2 records are used for treatment, payment and health care operations (“TPO”) purposes[43] with the HIPAA Privacy Rule; 
  • Modify the HIPAA NPP requirements for covered entities to include certain information about Part 2, including Part 2’s restrictions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings against the individual, among other changes.[44] Some of HHS’ proposed NPP changes reflect modifications HHS previously proposed in the NPRM to Modify the Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement;[45] and
  • Remove the so-called inmate exception to HIPAA NPP requirements. This is the exception that allows covered entities to withhold notice from an incarcerated individual with respect to their health information privacy rights and a covered entity’s practices.[46]

The first proposal would ensure that patients of all Part 2 programs will enjoy the same level of notice and transparency as patients of HIPAA covered entities.[47] Specifically, HHS proposes to require that the Part 2 Notice include all of the following:

  • A header nearly identical to the one required for a HIPAA NPP;
  • Descriptions of the uses and disclosures that are permitted for TPO purposes, permitted without written consent, or will only be made with written consent;
  • A patient’s right to request restrictions on disclosures made with prior consent for TPO purposes and when a Part 2 program must agree to a request;
  • A patient’s right to obtain restrictions of disclosures of Part 2 records to a patient’s health plan for those services for which a patient has paid in full in the same manner as HIPAA (see 45 CFR 164.522);
  • A patient’s right to an accounting of disclosures (see Part 2 Accounting Requirements);
  • A patient’s right to obtain an electronic or non-electronic copy of the Part 2 notice upon request;
  • A right to discuss the notice with a designated contact person identified by the Part 2 program; 
  • Statements regarding the Part 2 program’s duties with respect to Part 2 records, including the obligation to inform patients of changes to the Part 2 Notice and breach notifications; 
  • A process for patients to complain to the Part 2 program and HHS when they believe their privacy rights have been violated, as well as how to file a complaint and that a patient will not be retaliated against for filing a complaint; and
  • Part 2 program contact information and the effective date of the Part 2 Notice.[48]

HHS also proposes to:

  • Give Part 2 programs the option of listing additional elements that may be included in the Part 2 Notice, such as when a Part 2 program may choose to more stringently protect Part 2 records (except as may be required by law or permitted for emergency treatment); and 
  • Further align related Part 2 Notice requirements regarding revisions and implementation specifications with similar HIPAA NPP requirements.[49]

The second proposal—modifying the HIPAA NPP—will ensure that adequate notice is given to patients regarding how covered entities may use and disclose Part 2 records and other changes identified by HHS in the NPRM.[50] And the third proposal will ensure that correctional facilities (such as jails and prisons) that are covered entities are held to the same notice requirements as other covered entities.[51]

Finally, HHS is seeking feedback on whether it should impose a consent or opt-out requirement on Part 2 programs and other lawful holders of Part 2 records with respect to the use of Part 2 records to create de-identified data sets or to use Part 2 records for fundraising. HHS is proposing that Part 2 programs obtain written consent for fundraising because HHS believes that fundraising is far enough outside an individual’s reasonable expectation of how their Part 2 records will be used or disclosed that Part 2 programs should obtain written consent.[52] However, HHS is notproposing consent for de-identification activities, stating that it would be inconsistent with Congress’ intent that de-identified information from Part 2 records be disclosed for public health purposes.[53]

Patient Consent and Downstream Uses and Redisclosures of Part 2 Records

Most importantly, HHS proposes to align with HIPAA the Part 2 consent requirements and the downstream uses and disclosures of Part 2 Records that are permitted pursuant to a patient’s consent for treatment, payment and health care operations (a “TPO consent.”)

Required Part 2 Consent Elements

HHS proposes to rewrite the Part 2 consent elements to align with current HIPAA authorization elements. Specifically:

Current (42 CFR 2.31)[54]Proposed (42 CFR 2.31)[55]Summary of Change
(1) The name of the patient.(1) The name of the patient.No change.
(2) The specific name(s) or general designation(s) of the part 2 program(s), entity(ies), or individual(s) permitted to make the disclosure.(2) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.Technical alignment with HIPAA. No material change. 
(3) How much and what kind of information is to be disclosed, including an explicit description of the substance use disorder information that may be disclosed.(3) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.Substantive change and alignment with HIPAA. 
(4)(i) General requirement for designating recipients. The name(s) of the individual(s) or the name(s) of the entity(-ies) to which a disclosure is to be made.  (4)(i) General requirement for designating recipients. The name(s) of the person(s), or class of persons, to which a disclosure is to be made (“recipient(s)”). For a single consent for all future uses and disclosures for treatment, payment, and health care operations, the recipient may be described as “my treating providers, health plans, third-party payers, and people helping to operate this program” or a similar statement.Substantive change and partial alignment with HIPAA with respect to generally designating recipients; however, it is unclear as to whether HHS intends to limit the use of a TPO consent to the following types of recipients: treating providers; health plans; third-party payers; and people helping to operate a Part 2 program. It is also unclear whether a mixed-use facility that operates a Part 2 program may designate the corporate entity as a recipient of a TPO consent for purposes of authorizing redisclosure for HIPAA permitted purposes.  
(4)(ii) Special instructions for entities that facilitate the exchange of health information and research institutions.Notwithstanding paragraph (a)(4)(i) of this section, if the recipient entity facilitates the exchange of health information or is a research institution, a written consent must include the name(s) of the entity(-ies) and (A) The name(s) of individual or entity participant(s); or (B) A general designation of an individual or entity participant(s) or class of participants that must be limited to a participant(s) who has a treating provider relationship with the patient whose information is being disclosed. When using a general designation, a statement must be included on the consent form that the patient (or other individual authorized to sign in lieu of the patient), confirms their understanding that, upon their request and consistent with this part, they must be provided a list of entities to which their information has been disclosed pursuant to the general designation (see § 2.13(d)).(4)(ii) Special instructions for intermediaries. Notwithstanding paragraph (a)(4)(i) of this section, if the recipient entity is an intermediary, a written consent must include the name(s) of the intermediary(ies) and (A) The name(s) of the member participants of the intermediary; or (B) A general designation of a participant(s) or class of participants, which must be limited to a participant(s) who has a treating provider relationship with the patient whose information is being used or disclosed. Technical changes and a substantive change to remove the requirement that the consent form contain a statement of the patient’s right to a list of disclosures made by the intermediary.  Notably, HHS is still requiring that the consent form name the recipient entity if the recipient entity is an “intermediary” (as defined by Part 2), and HHS proposes to limit the redisclosure by the intermediary to only those participants of the intermediary that are named or who have a “treating provider relationship” (as defined by Part 2) with the patient. It is unclear how this restriction would apply in instances where the intermediary is also a HIPAA business associate recipient of the Part 2 records pursuant to a TPO consent.
N/A(4)(iii) Special instructions when designating certain recipients. If the recipient is a program, covered entity, or business associate to whom a record (or information contained in a record) is disclosed for purposes of treatment, payment, or health care operations as defined in this part, a written consent must include the statement that the patient’s record (or information contained in the record) may be redisclosed in accordance with the permissions contained in the HIPAA Privacy Rule (45 CFR Part 164, Subpart E), except for uses and disclosures for civil, criminal, administrative, and legislative proceedings against the patient. Additional content must be added to a TPO consent to provide the patient with notice of the downstream uses and redisclosures of the Part 2 record when the recipient is another Part 2 program, covered entity, or business associate. 
(5) The purpose of the disclosure. In accordance with § 2.13(a), the disclosure must be limited to that information which is necessary to carry out the stated purpose.(5) A description of each purpose of the requested use or disclosure.(i) The statement “at the request of the patient” is a sufficient description of the purpose when a patient initiates the consent and does not, or elects not to, provide a statement of the purpose.(ii) The statement, “for treatment, payment, and health care operations” is a sufficient description of the purpose when a patient provides consent once for all such future uses or disclosures for those purposes.(iii) Fundraising. If applicable, a statement that a patient consents to the use or disclosure of the patient’s records for the purpose of fundraising for the benefit of the program. Substantive changes to align with HIPAA and to support use of a TPO consent or, if applicable, consent for fundraising. 
(6) A statement that the consent is subject to revocation at any time except to the extent that the part 2 program or other lawful holder of patient identifying information that is permitted to make the disclosure has already acted in reliance on it. Acting in reliance includes the provision of treatment services in reliance on a valid consent to disclose information to a third-party payer. (6) The patient’s right to revoke the consent in writing, except to the extent that the part 2 program, or other lawful holder of patient identifying information that is permitted to make the disclosure, has already acted in reliance on it, and how the patient may revoke consent.Technical alignment with HIPAA. No material change.
(7) The date, event, or condition upon which the consent will expire if not revoked before. This date, event, or condition must ensure that the consent will last no longer than reasonably necessary to serve the purpose for which it is provided.(7) An expiration date or an expiration event that relates to the individual patient or the purpose of the use or disclosure. The statement “end of the treatment,” “none,” or similar language is sufficient if the consent is for a use or disclosure for treatment, payment, or health care operations. The statement “end of the research study” or similar language is sufficient if the consent is for a use or disclosure for research, including for the creation and maintenance of a research database or research repository. Substantive changes to align with HIPAA. 
(8) The signature of the patient and, when required for a patient who is a minor, the signature of an individual authorized to give consent under § 2.14; or, when required for a patient who is incompetent or deceased, the signature of an individual authorized to sign under § 2.15. Electronic signatures are permitted to the extent that they are not prohibited by any applicable law.(8) The signature of the patient and, when required for a patient who is a minor, the signature of a person authorized to give consent under § 2.14; or, when required for a patient who lacks the capacity to make their own health care decisions or is deceased, the signature of a person authorized to sign under § 2.15. Electronic signatures are permitted to the extent that they are not prohibited by any applicable law. Technical changes. 
(9) The date on which the consent is signed.(9) The date on which the consent is signed. No change. 
N/A(10) A patient’s written consent to use or disclose records for treatment, payment, or health care operations must include all of the following statements:(i) The potential for the records used or disclosed pursuant to the consent to be subject to redisclosure by the recipient and no longer protected by this part.(ii) The consequences to the patient of a refusal to sign the consent.Additional content must be added to a TPO consent to provide the patient with notice of: (1) the downstream uses and redisclosures of the Part 2 record; and (2) if refusal to sign the TPO consent will have consequences, such as conditioning treatment or payment for treatment on the TPO consent. HHS does notpropose to prohibit the conditioning of treatment on the patient signing the TPO consent.[56]

Prohibition on Redisclosure Notice

Although HHS has made great efforts to align Part 2’s consent elements with HIPAA’s authorization elements, HHS has chosen to retain the requirement that a prohibition on redisclosure notice accompany any Part 2 disclosure made pursuant to a patient’s written consent, including a TPO consent. HHS is proposing to rebrand the “prohibition on redisclosure notice” as a “notice to accompany disclosure,” and to modify the long-form notice to notify recipients who are covered entities or business associates (or who have received the Part 2 records from a covered entity or business associate for a HIPAA-permitted purposes) that Part 2 does not prohibit these recipients from making further use or disclosure of the Part 2 record.[57]

Downstream Uses and Redisclosures of Part 2 Information

HHS further proposes to create different redisclosure permissions for two categories of recipients of Part 2 records pursuant to a written consent:

  • Part 2 programs, covered entities and business associates. HHS proposes to allow Part 2 programs, covered entities, and business associates (collectively, “HHS Regulated Entities”) that receive Part 2 records pursuant to a written consent for TPO purposes to redisclose those records for any purpose permitted by the HIPAA Privacy Rule, except for uses and disclosures for civil, criminal, administrative, and legislative proceedings against the patient.[58] This is a significant change. If finalized, it may effectively cut off the majority of Part 2 privacy protections for Part 2 records received by HHS Regulated Entities pursuant to a patient’s written TPO consent. Indeed, HHS proposes to limit the scope of a patient’s right to revoke a TPO consent to only post-revocation disclosures by the Part 2 program. A revocation would have no effect on a recipient HHS Regulated Entities’ ability to continue to use and redisclose the Part 2 records that they received prior to revocation.[59]
  • Other lawful holders. HHS also proposes to permit a lawful holder that is not a covered entity, business associate, or Part 2 program to redisclose Part 2 records for payment and health care operations to its contractors, subcontractors, or legal representatives as needed to carry out the activities in the consent.[60]

HHS expects these changes will “facilitate greater integration of SUD treatment information with other PHI,” “improve communication and care coordination” between provider and payers, and reduce administrative burden.[61] HHS proposes to offset the impact such increased data sharing might have on patient privacy by ensuring that covered entities and business associates are still subject to Part 2’s more stringent privacy protections on how Part 2 records are used against patients in legal and administrative proceedings.[62]

Special Rule for Intermediaries

Although HHS proposes to permit the use of consent forms that name a class of persons to whom a disclosure is made and to permit the redisclosure of Part 2 records received by HHS Regulated Entities for TPO purposes for any purpose permitted by the HIPAA Privacy Rule, if the disclosure is to an “intermediary,” the consent must also:

HHS proposes to remove the requirement that the consent form include a statement that patients have a right to request a list of disclosures made pursuant to the consent from the intermediary.[64] However, these intermediaries are still required to provide patients with a list of disclosures upon request.[65] HHS proposes to change the time period covered by this requirement from 2 years to 3 years to align it with the new accounting requirements for Part 2 programs.[66]       

HHS thus proposes to more narrowly restrict the disclosure (and redisclosure) of Part 2 records if one or more of the recipients is an “intermediary.” HHS proposes to define an “intermediary” as “a person who has received records under a general designation in a written patient consent to be disclosed to one or more of its member participant(s) who has a treating provider relationship with the patient.”[67] This is a functional definition that is not restricted to a title or category of business.[68] HHS explains: “[A]n electronic health record vendor that enables entities at two different health systems to share records likely would be an intermediary. That same vendor would not be an intermediary when used by employees in different departments of a hospital to access the same patient’s records.”[69]

HHS gives the following examples of intermediaries: “health information exchange, a research institution that is providing treatment, an accountable care organization [(ACO)], or a care management organization [(CMO)].”[70]HHS also explains that “member participants” refers to “health care provider practices or health-related organizations.”[71] By contrast, “a research institution that is not providing treatment or a health app that is providing individual patients with access to their records would not be considered an intermediary. [And m]ember participants of an intermediary . . . does not include individual health plan subscribers or workforce members who share access to the same electronic health record system.”[72]

HHS also does not propose to substantively change the definition of “treating provider relationship,” which (as technically revised in the NPRM) means: “that, regardless of whether there has been an actual in-person encounter: (1) A patient is, agrees to be, or is legally required to be diagnosed, evaluated, or treated, or agrees to accept consultation, for any condition by a person; and (2) The person undertakes or agrees to undertake diagnosis, evaluation, or treatment of the patient, or consultation with the patient, for any condition.”[73] Thus, this special rule for intermediaries will presumably continue to limit the disclosure of Part 2 records through an HIE (including an EHR that functions as a HIE), ACO, CMO and other entities when the downstream recipient is not specifically named but only generally described, and in such cases only persons within a narrowly defined treating provider relationship with the patient will be authorized to receive the data. This restriction may undermine HHS’s ultimate goal of facilitating greater integration, improved communication and care coordination, and reduced administrative burden. 

Part 2 Accounting Requirements

HHS further proposes to impose certain accounting of disclosure requirements on Part 2 programs. Specifically, the NPRM would require Part 2 programs to provide patients the right to “an accounting of all disclosures made with consent under § 2.31 in the six years prior to the date of the request (or a shorter time period chosen by the patient.”[74] The accounting statement must meet HIPAA’s accounting of disclosure requirements found at 45 CFR 164.528(a)(2) and (b)-(d).[75] However, if the disclosures were made for TPO purposes, then the patient is only entitled to an accounting for the disclosures made through an electronic health record up to three years prior to the date of the request.[76] HHS proposes to toll the compliance date for TPO accounting until the effective date of a final rule on the HIPAA accounting of disclosures standard. This would ensure that Part 2 programs do not incur new compliance obligations before covered entities and business associates under the HIPAA Privacy Rule are obligated to comply.Additionally, HHS proposes requiring Part 2 programs to include a statement of the right to an accounting of electronic record disclosures for TPO purposes in the program’s NPPs.[77]

HHS also proposes to continue to grant patients, who have consented to the disclosure of their Part 2 records through an intermediary using a general designation consent, the right to request an accounting of disclosures from the intermediary.[78] If an intermediary receives a request from such a patient in writing, it must provide the patient with a list of all persons to which it disclosed the patient’s records pursuant to the general designation within the past 3 years.[79] The list must be provided in no more than 30 days and must include the names of the recipients, the date the record was disclosed, and a brief description of the identifying information disclosed.[80]

Part 2 Exceptions

HHS proposes only a couple notable changes to the Part 2 exceptions to the consent requirements. Specifically, HHS proposes to modify the exception for audits and evaluations and to create a new exception for public health disclosures. HHS also proposes to provide in 42 CFR 2.2(b)(2) that Part 2 requires the disclosure of Part 2 records to the HHS Secretary when such disclosures are necessary for Part 2 compliance investigations and enforcement of Part 2.[81]

Audits and Evaluations

HHS proposes to retitle the audits and evaluations exception as the “management audits, financial audits, and program evaluation” exception, in an effort to more clearly describe the uses and disclosures over which it is meant to apply.[82] HHS recognizes that there is significant overlap between these activities and health care operations[83] and health oversight activities.[84] HHS thus further proposes to modify the exception to clarify that Part 2 programs, covered entities and business associates are permitted to disclose Part 2 records pursuant to a TPO consent when a requesting entity is seeking records for the following activities (and without relying on this exception):

  • Activities undertaken by a federal, state, or local governmental agency, or a third-party payer or health plan, in order to:
    • Identify actions the agency or third-party payer or health plan can make, such as changes to its policies or procedures, to improve care and outcomes for patients with substance use disorders who are treated by part 2 programs;
    • Ensure that resources are managed effectively to care for patients; or 
    • Determine the need for adjustments to payment policies to enhance care or coverage for patients with SUD; or
  • Reviews of appropriateness of medical care, medical necessity, and utilization of services; or 
  • For quality assurance activities conducted by accreditation or similar types of organizations focused on quality assurance.[85]

However, to the extent an activity is not a health care operation, but a health oversight activity, the requirements of this exception may apply,[86] unless the entity making the disclosure for the health oversight activity is a HHS Regulated Entity and was itself the recipient of the Part 2 program records pursuant to a TPO consent.[87] In those instances, the HHS Regulated Entity is permitted to redisclose the Part 2 program records for any purpose permitted by the HIPAA Privacy Rule, which would include HIPAA’s exception for health oversight activities.  

Disclosures for Public Health (New!)

Per the mandate in the CARES Act amendments, HHS proposes to create a new exception that allows Part 2 programs to disclose Part 2 records without patient consent to a public health authority so long as the record is de-identified.[88] Although this is a “new” exception, it is of little substantive import given that Part 2 does not apply to de-identified data. Indeed, HHS clarifies in the NPRM that this new exception should not be misconstrued “as extending the protections of Part 2 to de-identified information, as such information is outside the scope of 2.12(a).”[89]

Court Orders

Finally, HHS proposes revisions to Subpart E of the Part 2 regulations, which govern court orders that authorize the use and disclosure of Part 2 records. Many of the revisions expressly clarify that the Subpart E requirements apply to administrative and legislative proceedings, as well as criminal and civil proceedings. HHS further proposes to extend Part 2 protections over the use and disclosure of testimony relaying the information in Part 2 records.[90]

HHS also proposes to add a new process for investigative agencies that unknowingly obtain Part 2 records during an investigation or prosecution of a Part 2 program or person holding Part 2 records, including placement of an undercover agent.[91] Specifically, investigative agencies that discover in good faith that they unknowingly obtained Part 2 records are required to secure those records and to cease using and disclosing them until an appropriate authorization or court order is obtained. If such an authorization or court order is not obtained within 120 days of the discovery, the agency must return or destroy the Part 2 records.[92] HHS further proposes to require investigative agencies to file an annual report with HHS regarding applications filed for Part 2 court orders after the discovery of unknowingly received Part 2 records or placement of the undercover agent.[93]

About the Authors

Melissa (Mel) A. Soliz, a partner with Coppersmith Brockelman, is highly sought out for her deep expertise on data privacy and interoperability issues ranging from HIPAA and 42 CFR Part 2 compliance to the ONC Information Blocking Rule, TEFCA (the Trusted Exchange Framework and Common Agreement) and CMS interoperability mandates. Her practice also focuses on health information exchange and networks, health IT contracting (particularly for social determinants of health and health equity platforms), data breaches and OCR investigations, as well as clinical research compliance and contracting. Mel is President of the Arizona Society of Healthcare Lawyers (AzSHA) and a 2022 Phoenix Magazine Top Lawyer. 

Benjamin (Ben) Yeager is an associate attorney with Coppersmith Brockelman. Ben is developing his practice in health care and data privacy law. Before joining Coppersmith Brockelman, Ben completed clerkships with the Arizona Supreme Court and the Arizona Court of Appeals. During law school, he served as the Administrator of the Hope Endowment Home in Gujarat, India, a children’s home and school serving 150 children that prepares children for future careers and helps them break free from generational poverty.

By the way, you know this is not legal advice, right? Right!

Check with your attorney for legal advice applicable to your situation.


 Endnotes

[1] Public Law 116-136, 134 Stat. 281 (March 27, 2020) (as codified at 42 USC 209dd-2).[2] “HIPAA” collectively refers to the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, as amended. For a more detailed summary of Section 3221 of the CARES Act, please read our Coppersmith Brockelman brief, The CARES Act: Sweeping Changes to Substance Use Disorder Privacy Law (42 USC 290dd-2) (Mar. 30, 2020) (technical amendments Apr. 2, 2020).[3] See Substance Abuse and Mental Health Services Administration (SAMSHA), Statement on 42 CFR Part 2 Amendments Process[4] 87 FR 74216 (Dec. 2, 2022).[5] Pub. L. 91-616, 84 Stat. 1848 (Dec. 31, 1970)[6] Pub. L. 92-255, 86 Stat. 65 (Mar. 21, 1972).[7] 40 FR 27802 (July 1, 1975).[8] 52 FR 21796 (June 9, 1987).[9] See 82 FR 6052 (Jan. 18, 2017)83 FR 239 (Jan. 3, 2018)85 FR 42986 (July 15, 2020)85 FR 80626 (Dec. 14, 2020)[10] CARES Act, Pub. L. 116-136, 134 Stat. 281 (March 27, 2020) (as codified at 42 USC 209dd-2).[11] 42 CFR 2.3see also 42 USC 1320d-5 and 1320d-6.[12] 87 FR at 74225, n. 104.[13] 87 FR at 74274.[14] See 42 CFR 2.3(a); Title 18 of the U.S. Code42 USC 1320d-5 and 1320d-6.[15] 87 FR at 74274.[16] 87 FR at 74275.[17] 87 FR at 74227.[18] 87 FR at 74277see also 45 CFR Part 164, Subpart D.[19] 45 CFR 164.404406408, respectively.[20] 87 FR at 74277.[21] 42 CFR 2.12(a)(1).[22] 42 CFR 2.11[23] See, e.g.42 CFR 2.12(d)(2).[24] See, e.g.87 FR at 74232.[25] See, e.g.87 FR at 74229–30.[26] 42 CFR 2.11.[27] 42 CFR 2.12(d)(2).[28] See, e.g.87 FR at 74231.[29] 87 FR at 74276.[30] 42 CFR 2.16(a)(2)(iv).[31] 87 FR at 74277.[32] 45 CFR 164.514(b).[33] 87 FR at 74230.[34] See 45 CFR 164.501[35] 87 FR at 74230.[36] See, e.g.87 FR at 74230–31.[37] 42 CFR 2.22(a)(c).[38] 42 CFR 2.22(b).[39] See 45 CFR 164.520(b).[40] 45 CFR 164.520(b).[41] 87 FR at 74235.[42] 87 FR at 74274.[43] 87 FR at 7427474280.[44] 87 FR at 74235.[45] 87 FR at 74237.[46] 87 FR at 74237.[47] 87 FR at 74235.[48] See 87 FR at 74236-37.[49] See 87 FR at 74237.[50] 87 FR at 74235see also id. at 74237-38.[51] 87 FR at 74237.[52] 87 FR at 74236.[53] 87 FR at 74236.[54] 42 CFR 2.31.[55] 87 FR at 74280–81.[56] 87 FR at 74241.[57] 87 FR at 7424174281.[58] 87 FR at 74281-82.[59] 87 FR at 74240.[60] 87 FR at 74251.[61] 87 FR at 74242.[62] 87 FR at 74242.[63] 87 FR at 74281.[64] 87 FR at 74241.[65] 87 FR at 74239.[66] 87 FR at 74239.[67] 87 FR at 72474–75.[68] 87 FR at 74229.[69] 87 FR at 74229.[70] 87 FR at 74229.[71] 87 FR at 74229.[72] 87 FR at 74229.[73] 87 FR at 74275.[74] 87 FR at 74280.[75] 87 FR at 74280.[76] 87 FR at 74280.[77] 87 FR at 74279; id. at 74236.[78] 87 FR at 74280.[79] 87 FR at 74280.[80] 87 FR at 74280.[81] 87 FR at 74247.[82] 87 FR at 74243.[83] 87 FR at 74244.[84] 87 FR at 74243–44.[85] 87 FR at 74244.[86] 87 FR at 74244.[87] 87 FR at 74244.[88] 87 FR at 74283.[89] 87 FR at 74244–45.[90] See generally 87 FR at 74245.[91] 87 FR at 74246–47.[92] 87 FR at 74246.[93] 87 FR at 74247.

By: Miranda A. Preston and Desalina Williams, Milligan Lawless

The Centers for Medicare & Medicaid Services (CMS) has broad authority to revoke a health care provider’s and supplier’s Medicare enrollment, and in recent years, CMS’s revocation authority has increased.[1]  Currently, CMS has the discretion to revoke the Medicare enrollment of any health care provider or supplier who fails to report various events to CMS, whether in the initial enrollment application, or after enrollment, following the occurrence of certain events.[2]  

Physicians, non-physician practitioners, and their respective organizations (collectively, the “Physicians” in this article[3]), who are enrolling in Medicare, or who are currently enrolled are required[4] to report all of the following to their designated Medicare contractor within the following time periods:

     (1) Within 30 days – 

            (i) A change of ownership[[5]]; 

           (ii) Any adverse legal action; or 

           (iii) A change in practice location. 

     (2) All other changes in enrollment must be reported within 90 days.

The Medicare regulations do not define what constitutes an “adverse legal action.”  The Medicare regulations do however define a “final adverse action,” to include one or more of the following: 

     (1) a Medicare-imposed revocation of any Medicare billing privileges; (2) suspension or revocation of a license to provide health care by any State licensing authority [e.g., Arizona’s allopathic or osteopathic Medical Boards]; (3) revocation or suspension by an accreditation organization; (4) a conviction of a Federal or State felony offense (as defined in § 424.535(a)(3)(i))[[6]] within the last 10 years preceding enrollment, revalidation, or re-enrollment; or (5) an exclusion or debarment from participation in a Federal or State health care program.[[7]]

From the definition of a “final adverse action,” one can reasonably conclude (and CMS appears to have taken the position) that “any adverse legal action” includes all of the above circumstances, and any other event which could possibly be construed as an adverse legal action, even if it has no bearing on a Physician’s practice of medicine.  Accordingly, Physicians should consult with legal counsel to ensure timely and complete disclosures to their Medicare contractor of events that could possibly constitute adverse legal actions.

If a Physician fails to report any of the above within the required time frames, CMS may revoke the Physician’s participation in the Medicare program, effectively terminating the Physician’s Medicare participation agreement.[8] Medicare revocations for failure to report in compliance with the above requirements are often coupled with other bases for revocation, such as when a Physician fails to report a felony conviction.[9]  

When a Physician’s Medicare participation is revoked (in addition to the host of other potentially devastating consequences listed below), CMS bars the Physician from participating in the Medicare program from the date of the revocation until the end of the re-enrollment bar imposed by CMS, which can range from 1-10 years.[10]  Medicare revocation can have other far reaching negative consequences for Physicians, including but not limited to: (i) placement on the CMS Preclusion List, rendering the Physician unable to contract with Medicare Advantage plans, or prescribe Part D prescription drugs; (ii) termination of commercial payor agreements; (iii) loss of medical staff privileges; (iv) termination of employment; (v) and general reputational damage. 

To avoid revocation of Medicare enrollment as a result of a Physician’s failure to report, Physicians enrolled in Medicare must carefully monitor operational changes that are a part of the Medicare enrollment file and timely report such changes. 

For more information, or if you have questions about Medicare reporting requirements, please contact Miranda Preston, Desalina Williams, or another health care attorney at Milligan Lawless.


[1]  See Medicare, Medicaid, and Children’s Health Insurance Programs; Program Integrity Enhancements to the Provider Enrollment Process, 84 Fed. Reg. 47794 (Sept. 10, 2019); CMS Announces New Enforcement Authorities to Reduce Criminal Behavior in Medicare, Medicaid, and CHIP, CMS.gov Newsroom (Sept. 5, 2019), https://www.cms.gov/newsroom/press-releases/cms-announces-new-enforcement-authorities-reduce-criminal-behavior-medicare-medicaid-and-chip

[2]  See 42 C.F.R. § 424.535(a)(9).

[3]  The more commonly used term, health care “Provider” is a specifically defined term in the Medicare regulations.  Accordingly, this article uses the term “Physicians” throughout, even though non-physician providers are included in this definition.  Under Medicare regulations, a “supplier” furnishes services under Medicare and includes physicians or other practitioners and facilities that are not included within the definition of the phrase “provider of services.”  42 U.S.C. § 1395x(d).  A “provider of services,” commonly shortened to “provider,” includes hospitals, critical access hospitals, skilled nursing facilities, comprehensive outpatient rehabilitation facilities, home health agencies, hospice programs, and a fund as described in sections 1395f(g) and 1395n(e).  42 U.S.C. § 1395x(u).  The distinction between providers and suppliers is important because they are treated differently under Medicare regulations for some purposes. 

[4]  42 C.F.R. § 424.516(d).

[5] For most Physicians (excluding Medicare suppliers that require approval through certification survey by the state surveying agency or through accreditation (e.g., portable X-ray suppliers, ambulatory surgery centers, and hospitals with departments that bill for Medicare Part B services)), any change in the ownership or control of the Physician must be reported on the Physician’s Medicare enrollment application within 30 days of the change.  Generally, a change of ownership that also changes the Physician’s tax identification number requires the completion and submission of a new enrollment application from the new owner. See 42 C.F.R. § 424.550(c). A “change of ownership,” the CMS term of art often abbreviated as a CHOW, is a distinct process. The regulations for CHOWs are codified at 42 C.F.R. § 489.18.

[6]  Section 424.535(a)(3)(i) defines “Felonies” as:

  • The provider, supplier, or any owner or managing employee of the provider or supplier was, within the preceding 10 years, convicted (as that term is defined in 42 CFR 1001.2) of a Federal or State felony offense that CMS determines is detrimental to the best interests of the Medicare program and its beneficiaries.
  • Offenses include, but are not limited in scope or severity to – 

(A) Felony crimes against persons, such as murder, rape, assault, and other similar crimes for which the individual was convicted, including guilty pleas and adjudicated pretrial diversions. 

(B) Financial crimes, such as extortion, embezzlement, income tax evasion, insurance fraud and other similar crimes for which the individual was convicted, including guilty pleas and adjudicated pretrial diversions. 

(C) Any felony that placed the Medicare program or its beneficiaries at immediate risk, such as a malpractice suit that results in a conviction of criminal neglect or misconduct. 

(D) Any felonies that would result in mandatory exclusion under section 1128(a) of the Act.

  • Revocations based on felony convictions are for a period to be determined by the Secretary, but not less than 10 years from the date of conviction if the individual has been convicted on one previous occasion for one or more offenses.

[7]  42 C.F.R. § 424.502. 

[8]  42 C.F.R. § 424.535(a)(9). 

[9]  Physicians who have been convicted of a felony offense within the preceding 10 years, which felony CMS determines is “detrimental to the best interests of the Medicare program,” can be revoked from Medicare participation under a separate regulatory basis.  See 42 C.F.R. § 424.535(a)(3).  CMS has virtually unbridled discretion to determine that felony offenses are detrimental to the best interests of the Medicare program, even if the conviction has no apparent connection to the Physician’s treatment of Medicare beneficiaries (e.g., felony convictions for driving under the influence). 

[10]  42 C.F.R. § 424.535(c).

By: Chelsea Gulinson, Milligan Lawless, P.C.

Though overshadowed by the COVID-19 Pandemic, the Opioid Epidemic has quietly charged forward, with over 100,000 Americans dying from drug overdoses in 2021.  State, local, and tribal governments have filed thousands of lawsuits against companies and individuals responsible for producing, manufacturing, distributing, or prescribing opioids seeking to hold them accountable for their role in the Epidemic.  Novel legal theories, such as public nuisance violations, have been successful in some jurisdictions, but have failed in others.  Some verdicts have been upheld; others reversed or remanded. 

Despite this uncertain legal landscape, several Big Pharma companies have recently settled with state governments for billions of dollars and injunctive relief.  Whether such an influx of cash will truly mitigate the effects of the Opioid Epidemic on the victims—those suffering from substance use disorder and families grieving their lost loved ones—is yet to be determined.  This blog post briefly describes the current state of the Opioid Epidemic and recent developments in related litigation. 

From 1999 to 2019, almost 500,000 Americans died from a drug overdose involving an opioid.  The first wave of the Opioid Epidemic began in 1999 with increased prescriptions of opioids.  In 2010, the second wave saw rapid increases in overdose deaths involving heroin.  The third wave commenced in 2013, with drug overdose deaths overwhelmingly characterized by synthetic opioids, particularly fentanyl.[i]

In 2019, 70,630 drug overdose deaths occurred in the United States, a 4.3% increase from 2018.  Nearly 50,000 deaths were attributable to opioids, over 36,000 involving synthetic opioids.[ii]  In 2020, drug overdose deaths increased to nearly 100,000 Americans, a 30% increase from 2019.  The COVID-19 Pandemic, which claimed the lives of over 1 million Americans, exacerbated the Opioid Epidemic by disrupting access to prevention, treatment, and harm reduction services.  It also highlighted ongoing disparities in access to health care among minority groups.  For example, drug overdose deaths disproportionately increased among Black and American Indian/Alaskan Native persons from 2019 to 2020 due to stigmatization, criminalization, and lack of access to evidence-based treatments.[iii] “Provisional” data from the CDC indicate that over 100,000 Americans died from a drug overdose in 2021.[iv]

In 2020, almost 4,000 non-fatal opioid overdoses occurred in Arizona, with 1,886 opioid-related overdose deaths.  In 2021, Arizonans suffered 3,555 non-fatal opioid overdose events, and over 2,000 Arizona residents died from opioid-related overdoses.  As of September 8, 2022, nearly 2,000 non-fatal opioid overdoses have occurred, and 372 Arizona residents have died from an opioid-related overdose.[v]

Data about opioid prescribing rates help illuminate how the Opioid Epidemic began, why it persists, and why many hold Big Pharma responsible for the Epidemic.  Of individuals who began abusing opioids in the 1960s, more than 80% started with heroin.  In contrast, of those who began abusing opioids in the 2000s, 75% started with a prescription drug, and nearly 80% of heroin users reported using prescription opioids before using heroin.[vi]

The opioid prescribing rate began to increase steadily in 2006, peaking in 2012 at more than 255 million opioid prescriptions, with a dispensing rate of 81.3 prescriptions per 100 persons.  The national opioid dispensing rate declined between 2012 to 2020, with 43.3 opioid prescriptions per 100 persons in 2020 (still, more than 142 million opioid prescriptions).  Although 2020 saw the lowest opioid dispensing rate to date, for which we have data, dispensing rates remained high in specific hotspots across the country.  In 2020, Southern states, including Kentucky, Tennessee, Alabama, Louisiana, Mississippi, and Arkansas, saw an opioid dispensing rate between 64.1 and 82.9 opioid prescriptions per 100 persons.  And some counties saw opioid dispensing rates of over 112.5 opioid prescriptions per 100 persons.[vii]

One of the first Opioid Epidemic lawsuits commenced in 2017, when the State of Oklahoma sued Johnson & Johnson, Purdue Pharma, and Teva Pharmaceuticals, alleging that the companies deceptively marketed opioids in Oklahoma.  After settling with Purdue Pharma and Teva Pharmaceuticals, the State dismissed all claims against Johnson & Johnson except a novel public nuisance argument.  After a 33-day bench trial, the Court held that Johnson & Johnson, “acting in concert with others, embarked on a major campaign in which they used branded and unbranded marketing to disseminate the messages that pain was being undertreated and ‘there was a low risk of abuse and a low danger’ . . . designed to reach Oklahoma doctors through multiple means and at multiple times over the course of the doctor’s professional education and career.”[viii] The Court awarded a $572 million judgment against Johnson & Johnson.  On November 9, 2021, however, the Oklahoma Supreme Court overturned the verdict against Johnson & Johnson, holding that Oklahoma’s public nuisance law did not extend to the manufacturing, marketing, and selling of prescription opioids.[ix]  Oklahoma later settled with Johnson & Johnson, McKesson, Cardinal, and AmerisourceBergen for $26 billion.[x]

New Hampshire filed suit against Johnson & Johnson’s subsidiaries in 2018, alleging that the company misrepresented that their opioids were safer than alternatives in aggressive marketing to prescribers and patients.  New Hampshire also alleged that the company “disseminated misleading statements about opioids, that they promoted the false concept of pseudoaddiction and that they misrepresented that their opioids were rarely addictive when used for chronic pain.”  On September 1, 2022, Johnson & Johnson entered into a $40.5 million settlement with New Hampshire, with $21.5 million of the settlement to be used for opioid abatement purposes.  Along with the settlement payment, Johnson & Johnson agreed to a ban on selling and manufacturing opioids, promoting opioids and opioid products, and prescription savings programs, as well as lobbying restrictions and stringent enforcement provisions.[xi]

The Ohio Multi-District Litigation – a consolidation of over 3,000 cases brought by state, local, and tribal governments – has recently held pharmacies responsible for their role in the Opioid Epidemic.  On August 17, 2022, a court ordered CVS, Walgreens, and Walmart to pay $650.5 million to two Ohio counties after a jury returned a verdict against them last November.  The jury found the defendants liable for causing a public nuisance by intentional and illegal conduct, such as oversupplying legal prescription opioids that were diverted into illicit markets.[xii]  A spokesperson for CVS indicated the company would appeal, claiming that CVS’s pharmacists “fill legal prescriptions written by D.E.A.-licensed doctors who prescribe legal, F.D.A.-approved substances to treat actual patients in need.”  A Walmart spokesperson blamed the “real causes of the opioid crisis, like pill mill doctors, illegal drugs and regulators asleep at the switch.”[xiii]

Pharmacies have attempted to shift blame to physicians, but the Supreme Court recently sided with two physicians convicted of unlawfully dispensing and distributing drugs and sentenced to more than 20 years in prison.  The Supreme Court vacated the physicians’ convictions and rejected the government’s mens rea standard of an “objectively reasonable good-faith effort.”  Instead, the Supreme Court held that the government “must prove beyond a reasonable doubt that the defendant knowingly or intentionally acted in an unauthorized manner.”[xiv]

States, municipalities, and tribal nations have filed suits against various parties, including pharmaceutical companies, manufacturers, distributors, and doctors.  Big Pharma has been accused of, and found liable for, oversupplying Americans with billions of pain medications.  As settlements occur, many question whether the government should also be held responsible for its failures in preventing and combating the Epidemic.  For example, some point to the FDA’s approval of OxyContin’s revised 2001 label for “around-the-clock” pain relief.  Others find fault with the DEA due to the agency’s slow response to the significant increase in the use and diversion of opioids, failure to use available resources, and inadequate policies that did not hold registrants accountable or prevent diversion of pharmaceutical opioids.[xv]  And although defendants have agreed to pay billions of dollars to help compensate victims, others are not confident that governments receiving the settlement funds will spend these funds effectively.  Perhaps jaded by states’ misspending of their annual proceeds from the $246 billion tobacco Master Settlement Agreement, the likelihood of fights between state and local governments, and politicians on both sides of the political spectrum, critics are rightly concerned about whether the victims of the Opioid Epidemic will see any meaningful relief.[xvi]


[i] Understanding the Epidemic, CDC, https://www.cdc.gov/drugoverdose/epidemic/index.html (last accessed Sept. 8, 2022).

[ii] Christine L. Mattson, Ph.D. et al., Trends and Geographic Patterns in Drug and Synthetic Opioid Overdose Deaths – United States, 2013 – 2019, Morbidity and Mortality Weekly Report, CDC, Feb. 12, 2021, available at https://www.cdc.gov/mmwr/volumes/70/wr/mm7006a4.htm?s_cid=mm7006a4_w.

[iii] Mbabazi Kariisa, PhD et al., Vital Signs: Drug Overdose Deaths, by Selected Sociodemographic and Social Determinants of Health Characteristics – 25 States and the District of Columbia, 2019-2020, Morbidity and Mortality Weekly Report, CDC, July 22, 2022, available at https://www.cdc.gov/mmwr/volumes/71/wr/mm7129e2.htm?s_cid=mm7129e2_w#suggestedcitation.

[iv] Provisional Drug Overdose Death Counts, National Center for Health Statistics, CDC, https://www.cdc.gov/nchs/nvss/vsrr/drug-overdose-data.htm#notes (last accessed Sept. 8, 2022).

[v] Weekly Opioid Data, Opioid Prevention, Arizona Department of Health Services, https://www.azdhs.gov/opioid/ (last accessed Sept. 8, 2022).

[vi] Prescription Opioids and Heroin Research Report, National Institute on Drug Abuse, Rev. Jan. 2018, available at https://nida.nih.gov/download/19774/prescription-opioids-heroin-research-report.pdf?v=fc86d9fdda38d0f275b23cd969da1a1f.

[vii] U.S. Opioid Dispensing Rate Map, CDC, available at https://www.cdc.gov/drugoverdose/rxrate-maps/index.html (last accessed Sept. 8, 2022).

[viii] Judgment After Non-Jury Trial, State of Oklahoma ex rel. Hunter v. Purdue Pharma, L.P. et al., District Court of Cleveland County State of Oklahoma, case no. CJ-2017-816 (Aug. 26, 2019), available at https://int.nyt.com/data/documenthelper/1660-oklahoma-opioid-trial-johnson-and-johnson/79f3fe55f5fa1a75bd48/optimized/full.pdf#page=1.

[ix] District Court’s Judgment Reversed, State of Oklahoma ex rel. Hunter v. Johnson & Johnson et al., Supreme Court of the State of Oklahoma, case no. 118,474 (Nov. 9, 2021), available at https://www.washingtonpost.com/context/oklahoma-court-overturns-465m-opioid-ruling-against-j-j/159ce2c6-f6ba-4e6a-bfaa-539702c744be/?itid=lk_inline_manual_4.

[x] Christine Minhee, States and Localities Have $38 Billion (Ish) on the Table, available at https://www.opioidsettlementtracker.com/globalsettlementtracker (last access Sept. 9, 2022). 

[xi] Attorney General Reaches $40.5 Million Settlement with Johnson & Johnson to Settle Opioid Claims, New Hampshire Department of Justice, Sept. 1, 2022, https://www.doj.nh.gov/news/2022/2022901-opioid-settlement.htm.

[xii] Abatement Order, In re National Prescription Opiate Litigation, United States District Court Northern District of Ohio, case no. 1:17-md-2804 (Aug. 17, 2022), available at https://www.ohnd.uscourts.gov/sites/ohnd/files/4611.pdf.

[xiii] Jan Hoffman, CVS, Walgreens and Walmart Must Pay $650.5 Million in Ohio Opioids Case, N.Y. Times (Aug. 18, 2022), available at https://www.nytimes.com/2022/08/17/health/opioids-cvs-walmart-walgreens.html.

[xiv] See Siulu Ruan v. United States, Supreme Court of the United States, case no. 20-1410 (June 27, 2022), available at https://www.supremecourt.gov/opinions/21pdf/20-1410_1an2.pdf.

[xv] Review of the Drug Enforcement Administration’s Regulatory and Enforcement Efforts to Control the Diversion of Opioids, Office of the Inspector General, U.S. Department of Justice (Sept. 2019), available at https://oig.justice.gov/reports/2019/e1905.pdf.

[xvi] See Christine Minhee, supra note x, at https://www.opioidsettlementtracker.com/faq/#bigtobacco.

By: Chase Millea, Snell & Wilmer[1]

We’ve all had heard it from one of our more active friends: 

“Have you tried that latest health app? It tracks your fitness – from what you eat to how you sleep to counting every step you take. You can put in your chronic conditions, medications and the last time you took a sip of water so you can make sure everything is in one place. And since it’s a health app its HIPAA certified so your information is totally secure.”

This example may make some readers of the AzSHA blog chuckle, but the growing number of health apps – from wearable watches to mobile medication management tools – present an interesting challenge for consumers to determine exactly which laws apply to which apps, and, importantly, how their health information is collected, used and disclosed. 

In the nearly thirty years since its promulgation, HIPAA – the Health Insurance Portability and Accountability Act – has gained significant traction as a pop-culture norm: when we hear health, we often think HIPAA, and the constraints it places on the sharing of health information. 

This normalization may constitute a great achievement for public understanding around rights in “protected health information” or “PHI,” the limited type of health information actually regulated under HIPAA; however, odds are (as supported by impromptu polls of friends, family, and even developers of mobile health apps), the general perception of HIPAA applicability may be much wider than the law provides. 

In other words, people hear health in a variety of contexts (whether at a hospital or in a free fitness app) and may think the processing of their health data is always subject to the robust privacy and security protections required under HIPAA. 

Of course, HIPAA does not apply in many health app contexts (as described further below). And with the growing number of such products in the marketplace, now may seem like a good time to review the current legal landscape around these products and to think through how a federal data privacy framework may be needed to resolve consumer confusion by setting national standards on the use of personal information (including identifiable health information).

Before we get into proposing amendments to federal law though, let’s start with the status quo. First recall that HIPAA applies to covered entities (i.e., healthcare providers, health plans and healthcare clearinghouses) and their business associates (i.e., organizations providing services to covered entities).[2] If an entity is subject to HIPAA, federal law requires that organization to (i) implement administrative, technical and physical safeguards to prevent the unauthorized access, use or disclosure of PHI, and (ii) not disclose a patient’s PHI without the patient’s authorization, or unless an exception applies.[3]

So, if a primary care physician offers her patients access to an online portal to view their records, as a healthcare provider, that physician is likely required to comply with HIPAA, and it should generally be safe to assume those administrative, technical and physical safeguards (including use and disclosure restrictions) are in place. 

Conversely though, the health app from the large software provider that enables consumers to personally track diet, nutrition, medication management and other notes about the individual’s healthcare – HIPAA? Not this time. Since in this case the app provider is not a covered entity nor business associate, the app provider is not subject to HIPAA and so individuals’ information is not guaranteed those same robust federal safeguards. And without a national consumer privacy law governing the use and disclosure of personal information generally, health information that is not PHI (i.e., regulated under HIPAA) does not receive any substantial protections under federal law.

Some states, including California, Colorado and Virginia are addressing this issue through state consumer privacy laws (e.g., the California Consumer Privacy Act or “CCPA”). Many other states are considering similar (and yet non-standard) approaches.[4]

Under the CCPA, certain entities (i.e., for-profit organizations processing data about large quantities of California residents) are required to adhere to rules around the processing of “personal information” (which does include healthinformation not covered under HIPAA).[5] CCPA requires regulated entities to notify consumers of that entity’s uses and disclosures of consumer data (see the “privacy policy” linked at the bottom of nearly every website you visit), and to adhere to consumer requests to review, amend and delete their personal information. Further, the California Privacy Rights Act creates a category of “sensitive personal information” that aims to protect sensitive categories of information (including genetic data, but not health information generally).[6]

So at least some states are thinking about how to protect some health data that may fall outside of HIPAA, but this is the AzSHA blog, so what do other state laws have to do with us? Well, to the extent an app provider processing your health data is not subject to these laws, the answer is nothing – and that’s kind of the issue. 

Currently, Arizona law only requires organizations processing personal information in Arizona to provide breach notification in the event of an unauthorized disclosure of that data.[7] However, Arizona does not have a consumer privacy law like CCPA, so does not require organizations to provide Arizona residents with various rights – including  to review, amend, and delete personal information processed about them – as required in states like California.

To avoid a hodge-podge of state consumer privacy laws with good intentions and poor practicality, the obvious solution seems to be a federal standard. There’s been talk about a federal law similar to the EU General Data Protection Rule[8]for years, however none have gotten across the legislative finish line. And consumer confusion seems to be a persistent consequence.

Much like HIPAA did with PHI, a comprehensive federal framework may bring standardization to the growing variety in the marketplace, and provide an opportunity to build public understanding of uniform requirements around the use of consumer personal information (including health information not covered under HIPAA). 

The proposed American Data Privacy and Protection Act (“ADPPA”), which includes a category of “sensitive covered data” that captures information relating to the “healthcare condition or treatment of an individual” may be the closest shot yet to laying this federal foundation.[9] This process has been a long one, though, so we won’t hold our breath for the ADPPA to cross the president’s desk just yet.

While we await a federal sea change, maybe it’s best to end with what initiated this blog in the first place: a general perception that consumers are not aware of the laws applicable to the processing of their personal information, including, and maybe especially, their health information. In my practice, I find many consumers (and frankly business teams developing health apps), are confused about when HIPAA applies and which laws protect the processing of what health information. 

So be aware of the confusion and maybe conduct an informal poll or two yourself. And the next time your friend asks, “have you tried that new health app” take a deep breath and just think about how much easier this may be with a federal standard.


[1] This blog represents current, general opinions of the author, and not those of his law firm or colleagues. The content should not be considered legal advice or opinion.   

[2] See 45 C.F.R. § 160.103.

[3] See 45 C.F.R. § 164.304. 

[4] National Conference of State Legislatures, 2022 Consumer Privacy Legislation, available at  https://www.ncsl.org/research/telecommunications-and-information-technology/2022-consumer-privacy-legislation.aspx#:~:text=Creates%20the%20Consumer%20Privacy%20Act,or%20before%20the%20point%20of

[5] California Consumer Privacy Act, Cal. Civ. Code § 1798.140.

[6] Id.

[7] ARS § 18-552.

[8] Regulation (EU) 2016/679 (General Data Protection Regulation).

[9] American Data Privacy and Protection Act, HR 8152, 117th Congress (2022), available at https://docs.house.gov/meetings/IF/IF00/20220720/115041/BILLS-117-8152-P000034-Amdt-1.pdf