President Biden’s executive order establishing new standards for artificial intelligence (AI) safety and security offers a roadmap for the implementation of AI in healthcare and clinical research.
The executive order calls for several actions to ensure emerging technology is used responsibly, such as requiring AI developers to share their safety test results with the U.S. government, calling on Congress to pass data privacy legislation, and developing principles to maximize the benefits of AI for workers.
Several provisions in the executive order seek to provide oversight for AI use in healthcare. The executive order requires the Department of Health and Human Services (HHS), in consultation with the Secretary of Defense and the Secretary of Veterans Affairs, to establish an AI Task Force by January 28 to develop a regulatory action plan around issues such as use of AI in healthcare delivery and assessing whether AI-enabled technologies in healthcare maintain appropriate levels of quality. Existing HHS programs will be leveraged to develop AI tools that can create patient immune-response profiles.
Furthermore, the executive order directs HHS to allocate the 2024 Leading Edge Acceleration Project awards, a funding opportunity offered through The Office of the National Coordinator for Health Information Technology, to initiatives that explore ways to responsibly develop AI tools for “clinical care, real-world-evidence programs, population health, public health, and related research.”
PAYING OUT-OF-NETWORK LABS FOR TEST SERVICES IS A POTENTIAL VIOLATION OF ANTI-KICKBACK STATUTE
On September 25, the Department of Health and Human Services Office of Inspector General (OIG) issued Advisory Opinion 23-06, which rejected an anatomic pathology laboratory’s proposal to purchase technical component (TC) services, such as slide preparation, from out-of-network laboratories for insured patients. The opinion is significant because OIG analyzed the proposed arrangement only from the laboratory’s perspective and without discussing either party’s intent, according to law firm Bass, Berry, & Sims.
The author of the advisory request operates commercial anatomic pathology laboratories across the U.S that perform both TC and the professional component (PC), the pathologist’s interpretation of test results. Third-party physician and nonphysician laboratories that can perform both TC and PC sought to enter into an arrangement with the laboratory, whereby the laboratory would pay the third-party laboratories for TC services, and the laboratories would send slides to the laboratory for its pathologists to conduct PC. The laboratory would then submit a global claim for both PC and TC services.
In its unfavorable opinion, OIG wrote that the arrangement would generate prohibited remuneration under the federal anti-kickback statute, because the laboratory would pay remuneration to laboratories that could in turn refer federal healthcare program (FHCP) business to the laboratory. Though the arrangement would not involve any pathology services reimbursable by FHCPs, OIG argued that this does not insulate the arrangement from anti-kickback liability, as payment for FHCP business can be disguised as payment for non-FHCP business.
HHS OFFICE FOR CIVIL RIGHTS SETTLES RANSOMWARE CYBER-ATTACK INVESTIGATION
The Department of Health and Human Services Office for Civil Rights (OCR) announced a settlement under the Health Insurance Portability and Accountability Act (HIPAA) with Doctors’ Management Services, a Massachusetts medical management company that provides a variety of services, including medical billing and payor credentialing.
In April 2019, Doctors’ Management Services filed a breach report stating that 206,695 individuals were affected when their software was infected with ransomware. OCR found evidence of potential failures by Doctors’ Management Services to monitor potential risks to electronic protected health information, as well as insufficient monitoring of health information systems’ activity and a lack of policies aimed at implementing the requirements of the HIPAA Security Rule, for which Doctors’ Management Services incurs a liability despite being attacked. Under the terms of the settlement agreement, Doctors’ Management Services will pay $100,000 to OCR, which will monitor the management company for 3 years to ensure HIPAA compliance.
According to OCR, ransomware and hacking are the primary cyber-threats in healthcare. In the past 4 years, there has been a 239% increase in large breaches reported to OCR involving hacking and a 278% increase in ransomware. In 2023, hacking accounted for 77% of the large breaches reported to OCR, which have affected more than 88 million individuals.