On December 27, 2024, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), issued proposed changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule (the Proposed Rule) to strengthen the cybersecurity protections that HIPAA-regulated entities are required to maintain for electronic protected health information (ePHI).

Keypoint: With the increased frequency and severity of cyberattacks against healthcare systems, state and federal agencies strive to improve cybersecurity controls with varied success.

In November 2023, New York Governor Kathy Hochul announced proposed regulations that would be the first state regulations for hospitals in New York. The governor described the proposed regulation as a “nation-leading blueprint” that would complement the federal Health Insurance Portability and Accountability Act (HIPAA) Security Rule enforced by the U.S. Department of Health and Human Services (HHS).

On September 9, 2024, the U.S. Department of Labor (DOL), Health and Human Services (HHS), and Treasury (collectively, the Departments) issued a Final Rule clarifying and adding additional requirements on health plans to provide equitable access to health insurance coverage for treatment of mental health and substance use disorders (SUDs), as required by the Mental Health Parity and Addiction Equity Act of 2008 (MHPAEA) and implementing regulations at 45 C.F.R. Part 146 and 147 (the 2024 Final Rule).

MHPAEA is a federal law that prevents group health plans and health insurance issuers (collectively, Health Plans) that provide mental health or substance use disorder benefits from imposing less favorable benefit limitations on those benefits than it does for a medical condition or surgical procedure. This means that Health Plans cannot impose additional financial requirements or apply non-quantitative treatment limitations (NQTLs) to these benefits more stringently than those applied to medical/surgical benefits.

On July 3, 2024, Judge Louis Guirola, Jr. of the federal district court in Mississippi issued a nationwide preliminary injunction prohibiting the U.S. Department of Health and Human Services (HHS) from “enforcing, relying on, implementing, or otherwise acting on” the gender identity provisions of a HHS Final Rule that purported to implement Section 1557 of the Patient Protection and Affordable Care Act (ACA) and was set to go into effect on July 5, 2024. The injunction was sought by a plaintiff group comprised of fifteen individual states that alleged the Final Rule violates existing statutory and constitutional law. The breadth of the injunction includes 42 C.F.R. §§ 438.3, 438.206, 440.262, 460.98, and 460.112; 45 C.F.R. §§ 92.5, 92.6, 92.7, 92.8, 92.9, 92.10, 92.101, 92.206-211, 92.301, 92.303, and 92.304 “in so far as these regulations are intended to extend discrimination on the basis of sex to include discrimination on the basis of gender identity.” While the injunction halts the gender identity provisions of the 2024 Final Rule, the remaining provisions of the 2024 Final Rule remain in effect.

In a landmark decision on June 28, 2024, the Supreme Court overturned a 40-year-old legal precedent known as Chevron deference. Established in 1984, Chevron deference mandated that judges defer to federal agencies concerning interpretations of ambiguous laws, as long as those interpretations were reasonable. This doctrine has been a cornerstone of administrative law, significantly impacting

What Are the Changes?

On April 26, 2024, the U.S. Department of Health and Human Services (“HHS”) issued a final rule (the “Final Rule”) along with guidance updating the Health Insurance Portability and Accountability Act (“HIPAA”) regulations at 45 C.F.R. Parts 160 and 164 (the “Privacy Rule”). The Final Rule prohibits the use or disclosure of protected health information (“PHI”) for the purpose of (1) conducting criminal, civil, or administrative investigations into, or (2) imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is legal when provided. The Final Rule also prohibits the use or disclosure of PHI in order to (3) identify any person for any of those purposes (the “Prohibition”).[1]

On May 16, 2024, the California Office of Health Care Affordability (“OHCA”) released proposed emergency regulations to update its existing rules for the reporting of certain health care transactions to OHCA for consideration of whether a Cost and Market Impact Review (“CMIR”) is warranted under the California Health Care Quality and Affordability Act. The current CMIR regulations became effective January 1, 2024, for transactions with a proposed closing date on or after April 1, 2024.

On April 29, 2024, the Food and Drug Administration (FDA) announced a Final Rule amending regulations to make explicit that in vitro diagnostic products (IVDs) are devices under the Federal Food, Drug, and Cosmetic Act including when the manufacturer of the IVD is a laboratory. Under the new rule, the FDA will phase out its laboratory developed test (LDT) enforcement discretion policy over a four-year period. The phaseout policy “applies to IVDs that are manufactured and offered as LDTs by laboratories that are certified under CLIA[1] and that meet the regulatory requirements under CLIA to perform high complexity testing, and used within such laboratories, even if those IVDs do not fall within FDA’s traditional understanding of an LDT because they are not designed, manufactured, and used within a single laboratory.”

On February 8, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) finalized long-awaited modifications to the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 C.F.R. Part 2, which requires individuals or entities that receive federal funding and provide SUD treatment to implement additional privacy protections and obtain specific consent before using and disclosing SUD treatment records (see 42 C.F.R. § 2.11).

U.S. Senators Angus King (I-ME) and Marco Rubio (R-FL) recently introduced a bill addressing cybersecurity protections and oversight in the healthcare industry. The Strengthening Cybersecurity in Health Care Act, introduced on February 8, 2024, aims to bolster a vulnerable and often-targeted industry against cyberattacks. The proposal follows a number of significant cyberattacks on healthcare organizations in recent years; Senator King noted that approximately 133 million people, or nearly one in three Americans, had their personal information compromised in 2023 alone.