Photo of Michael Sutton

Michael Sutton is an associate in the Corporate Practice Group in the firm's Dallas office.

On November 6, 2023, the Centers for Medicare and Medicaid Services (“CMS”) released the contract year 2025 proposed rule for Medicare Advantage (“MA”) organizations and Part D sponsors (the “Proposed Rule”). The Proposed Rule covers an array of regulatory topics including the Star Ratings program, marketing and communications, agent and broker compensation, health equity, dual eligible special needs plans (“D-SNPs”), utilization management, network adequacy, and access to biosimilars.Continue Reading CMS Promotes Competition, Transparency, Health Equity and More in the CY2025 Medicare Advantage and Part D Proposed Rule

The expanded use of artificial intelligence (AI) in the delivery of health care continues to receive increased attention from lawmakers across the country. Although AI regulation is still in its early developmental stages, there are various efforts underway to address the unintended negative consequences stirred by AI technology, particularly in health care and other key sectors.[1] Of particular interest are regulatory efforts to restrict discrimination through AI and related technologies.Continue Reading At a Glance: Legal Efforts to Limit Discrimination Through AI

California is taking steps through Assembly Bill 254 (the “Bill”), approved by the State’s Governor on September 27, 2023, to ensure that patient information collected through reproductive or sexual health applications enjoys protections under the Confidentiality of Medical Information Act (the “CMIA”).[1] In addition to applying to providers and plans, the CMIA applies to businesses that offer software or hardware to consumers, such as mobile applications, which maintain medical information for the purpose of enabling management of such medical information or to otherwise support diagnosis, treatment, or management of a medical condition.[2] As a result, software and application developers may need to consider the CMIA with respect to their obligations relating to this particular data. In addition to certain confidentiality requirements, the CMIA also prohibits certain marketing uses and disclosures and requires breach notification in certain qualifying instances.Continue Reading California Moves to Protect Medical Information Collected Through Reproductive and Sexual Health Applications

In May, the Federal Trade Commission (“FTC”) proposed changes (the “Proposed Rule”) to the Health Breach Notification Rule (the “Rule”),[1] which, among other items, emphasize that the Rule applies to mobile health applications and related technologies that use or otherwise compile consumers’ health information.[2] While the FTC’s position on this point is not entirely new,[3] industry interpretations of the Rule have been inconsistent.Continue Reading FTC Proposes Changes to Health Breach Notification Rule Clarifying Application to Health and Wellness Apps

On June 16, 2023, nearly half of the State Attorneys General[1] penned a letter (the “Letter”) to the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) advocating for broader privacy protections surrounding reproductive health care information. Specifically, the Letter targeted the Notice of Proposed Rulemaking (the “Proposed Rule”) published by OCR in April of 2023, which proposed a number of revisions to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).[2]Continue Reading State Attorneys General Pen Letter to OCR Advocating for Greater Privacy Protection of Reproductive Health Care Information

The Florida Legislature recently amended the Florida Electronic Health Records Exchange Act (the “Act”) to prohibit certain health care providers utilizing certified electronic health record technologies from storing qualified electronic health records[1] outside of the United States, its territories, or Canada.[2] Significantly, the prohibition also extends to qualified electronic health records that are stored through a third-party or subcontracted computing facility or cloud service provider.[3]Continue Reading Florida Bans Offshoring of Certain Patient Information

Texas is joining a growing number of states in passing comprehensive privacy legislation intended to safeguard consumer personal data.[1] Specifically, the Texas Data Privacy and Security Act (the “Act”) adds protections for consumers[2] and their personal data, which includes any information that is linked or reasonably linkable to an identified or identifiable individual.[3]Continue Reading Texas is Making Moves on a Comprehensive Consumer Privacy Law

The Centers for Medicare & Medicaid Services (“CMS”), on behalf of the U.S. Department of Health and Human Services (“HHS”), recently issued a proposed rule to adopt standards under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) for “health care attachment” transactions (the “Proposed Rule”). The Proposed Rule would implement requirements of HIPAA’s administrative simplification regulations, which are intended to support healthcare claims and prior authorization transactions while also introducing a standard format for electronic signatures to be used in conjunction with health care attachments.Continue Reading CMS’s Administrative Simplification Rule Aims to Increase Efficiency and Standardization for Health Care Attachments

The once-novel medium of telehealth surged onto the stage as a common sense solution to the COVID-19 pandemic. This surge was facilitated, in part, by certain flexibilities authorized by the Centers for Medicare & Medicaid Services in its response to the public health emergency (“PHE”) declared in March of 2020 and which was repeatedly renewed until now. On January 30, 2023, President Joe Biden announced that the PHE would end on May 11, 2023. As the curtains are drawn on the PHE, there can be no doubt that telehealth is here to stay. In light of that reality, it is essential that participants in the telehealth space understand what flexibilities will remain in play.Continue Reading Telehealth in a Post-PHE World

Social media’s interplay with healthcare privacy presents a constantly evolving challenge. ICYMI (“in case you missed it”), there is an uptick in enforcement and scrutiny IRL (“in real life”) related to communications through social media and other public platforms by entities subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).Continue Reading ICYMI: HIPAA and Social Media IRL