On February 6, 2023, a judge for the United States District Court for the Eastern District of Texas (“Texas District Court”) ruled in favor of the Texas Medical Association (“TMA”) and against the United States Departments of Treasury, Labor, and Health and Human Services (the “Departments”) over a challenge to the continued special status given to the qualifying payment amount (“QPA”) in the arbitration process between out-of-network providers and payors under the No Surprises Act. In its lawsuit against the Departments, TMA specifically challenged the No Surprises Act requirement that Independent Dispute Resolution Entities (“IDREs”) initially consider the out-of-network rate closest to the qualifying payment amount (“QPA”), before, and otherwise limiting consideration of other non-QPA factors[1],  when determining final amounts to be paid.

As discussed in a previous blog post, the QPA,[2] which is generally the median rate paid for the service by the payor in the community, was established as the presumptive appropriate amount in a final interim rule issued by the Departments in September 2021 based on the Departments stated goal of lowering health care costs. (The QPA is generally lower than the out-of-network rates customarily paid for emergency treatment). As set forth in the interim rule, IDREs were permitted to consider non-QPA factors in their assessment of the final payment only when credible evidence demonstrated that the QPA was not the best value of the item or service under dispute. In its lawsuit against the Departments in February 2022, TMA asserted that the interim rule placed a “thumb on the scale” in favor of the QPA and, in turn, payors. The Texas District Court rejected the regulations, holding that the interim rule continued to impose an inappropriate “rebuttable presumption” in favor of the QPA in direct conflict with the No Surprises Act.

In response to the Texas District Court’s ruling, the Departments published Final Rules in August 2022, which vacated the QPA presumption. However, as noted in another previous blog post, under these Final Rules, the Departments continued to instruct IDREs to consider the QPA first as a presumptively “credible” factor, while permitting IDREs to also weigh the credibility of non-QPA factors. The Final Rules directed IDREs to evaluate non-QPA factors only secondarily and only if they were deemed credible, were related to either party’s offer and not already accounted for in the QPA.

The TMA remained dissatisfied, and brought a follow-up December 2022 lawsuit. TMA took issue with the unfair advantage granted to payors by requiring IDREs to first consider the QPA and limit the consideration of the other non-QPA factors. Again, the TMA won. The Texas District Court acknowledged that the Final Rules avoided an explicit presumption in favor of the QPA, but it nonetheless determined that the Final Rules artificially decreased the QPA’s weight by requiring IDREs to consider that factor principally. This sequencing arrangement, and the limitation of consideration of the other factors (by the requirement that they be deemed credible, related to the party’s offer in the arbitration, and not otherwise already accounted for in the determination of the QPA or other information provided), led the Texas District Court to hold, again, that the Final Rules improperly limited IDREs’ discretion, as established by Congress, in the No Surprises Act and unjustly favored commercial payors. The court reasoned that “[n]othing in the Act…instructs arbitrators to weigh any one factor or circumstance more heavily than the others … [and that a] statute’s ‘lack of text’ is sometimes ‘more telling’ than the text itself.”[3] Accordingly, the Final Rules were found to be impermissible under the Administrative Procedures Act and were vacated.

This latest win for TMA has not prevented further litigation on the dispute resolution process. Most recently, on January 31, 2023, TMA launched another lawsuit against the Departments—this time challenging the $350 initiation fee imposed on parties to initiate the IDR process. This lawsuit claims that the nonrefundable initiation fee—expected to be paid by both parties—increased by 600 percent on December 23, 2022, less than two months after CMS stated that the administrative fee would remain $50 in 2023. TMA has argued that the dramatic increase will make the IDR process significantly more expensive for all IDR participants, especially for providers where the increased fee will likely be cost prohibitive. According to TMA, providers who bill small value claims, like radiology, will be particularly affected, because most claims billed are less than $350 and, thus, initiating the IDR process will likely be economically infeasible.

Presently, in recognition of the most recent Texas District Court’s ruling, the Departments have notified IDREs that they should not issue any new payment determinations and recall any payment determinations issued after February 6, 2023 while the Departments evaluate and update IDR guidance. The Departments are expected to create new regulations to replace the vacated provisions, and the Texas District Court is yet to rule on the newly enacted $350 IDR process initiation fee.

The No Surprises Act is significantly impacting the health care industry.  IDRE determinations remain remarkably slow (and unfortunately further delayed by the litigations) and cash flow is being materially affected.  Nevertheless, it is critical to get the IDR process, which ultimately determines reimbursement, right.  Having a fair process is thus necessary to the survival of some, and the relative prosperity of virtually all, providers.

Proskauer will continue to follow developments of the No Surprises Act, its implementing regulations, and the pending dispute resolution and fee processes.

 

 

[1] Non-QPA factors include the market share of the provider and payer, the provider’s level of training, the acuity of the patients treated, the teaching status of the hospital or treatment center, and good faith efforts to enter into a network agreement.

[2] The QPA represents the median contracted rates recognized by a payer for the same or similar items or services in the same geographic area. Notably, it is a number determined exclusively by payors.

[3] Texas Medical Association, et al. v. United States Department of Health and Human Services, et al., No. 6:22-CV-372-JDK, 2023 WL 1781801, at *11 (E.D. Tex. Feb. 6, 2023).

On February 1, 2023, New York Governor Kathy Hochul announced the 2024 Executive Budget. As alluded to in the Governor’s State of the State address, and as described in an earlier Proskauer Health Care Law Brief article, the Governor is proposing to adopt a wide-ranging approval requirement for health care transactions that appears to target investor-backed physician practices.

The legislative proposals related to health care, as contained in the Governor’s budget, were introduced as Senate Bill 4007 and Assembly Bill A3007. The bills propose to amend the Public Health Law (“PHL”) to introduce a new Article 45-A, named “Review and Oversight of Material Transactions.” See 2023 New York Senate-Assembly Bill S4007, A3007, Part M § 5.

Continue Reading 2024 New York Budget Proposes Wide-Ranging Transaction Approval Requirement That Targets Private Investment in Physician Practices and MSOs, and Permits DOH to Extract Concessions

After multiple extensions over the past three years, on Monday, January 30, 2023, President Biden announced that the COVID-19 national emergency and public health emergency (“PHE”) will officially end on May 11, 2023.

However, with less than four months until that date, providers must quickly review their operations and ensure their continued compliance with billing requirement changes that will result from the PHE’s expiration.  As the Office of Management and Budget acknowledged in its Statement of Administration Policy when the announcement was made:

“An abrupt end to the emergency declarations would create wide-ranging chaos and uncertainty throughout the health care system—for states, for hospitals and doctors’ offices, and, most importantly, for tens of millions of Americans.”

Evident potential implications include:

  • Traditional Medicare and Medicare Advantage beneficiaries may lose their ability to obtain free at-home COVID-19 testing and treatments and may have to begin paying certain cost-sharing amounts relating to these and other testing and treatments.
  • Similar to Medicare and Medicaid, private health plans may begin requiring its members to pay certain cost-sharing amounts and requiring prior authorizations for COVID-19 testing, treatments, and related services.
  • Providers may also lose the government-funded revenue streams that have been provided pursuant to various Congressional allocation actions since the beginning of the PHE.
  • Certain telehealth flexibilities may no longer be available, including relaxation of certain data privacy and security requirements under, e.g., the Health Insurance Portability and Accountability Act of 1996 (aka HIPAA), unless such flexibilities are allowed to continue.
  • Providers may lose their ability to prescribe controlled substances via telehealth means and may be required, once again, only to provide prescriptions for such controlled substances pursuant to an in-person medical evaluation of the patient, unless such flexibilities are allowed to continue.
  • Physicians may lose protection for certain self-referrals under the blanket Stark Law waivers in effect during the PHE that were meant to ensure access to care for Medicare beneficiaries and Medicaid enrollees.

Notwithstanding these potential implications, the Centers for Medicare & Medicaid Services (“CMS”), to their credit, had already informed the health care industry about certain telehealth measures it had decided to continue to ensure access to care:

  • Medicare coverage for temporary telehealth services added during the PHE will continue through December 31, 2023.
  • Telehealth services provided in office settings will continue to be paid at the non-facility rate (e., higher payment) through December 31, 2023.
  • Clinical staff of hospital outpatient departments (including Critical Access Hospitals) may continue providing remote behavioral health services to patients in their own homes.
  • CMS added new billing codes for home health telecommunications technology for home health agency services to begin reporting on July 1, 2023, on a mandatory basis.

Lastly, State Medicaid and CHIP agencies will be required to begin, at any point between April and June, 2023, a 12-month unwinding period, which is a congressional requirement for States to return to normal eligibility and enrollment operations.

Since the beginning of the PHE, Proskauer has been advising its clients about the statutory, regulatory, and policy changes relating to the PHE and how to navigate their nuances and complexities.  Proskauer will remain up-to-date on such changes, as the official end of the PHE become ever more imminent.

On January 10, New York’s Governor, Kathy Hochul, delivered the 2023 “State of the State” address. The address featured a number of health care reform initiatives—a strong indication that New York will prioritize health care issues and spending in the year ahead. Below is a summary of Governor Hochul’s big-ticket health care agenda items.

First, Governor Hochul outlined how New York plans to utilize its historic $20 billion, multi-year health care spending bill to build upon New York’s health care system in the following ways:

  • Establishing a “Commission on the Future of Health Care” to help guide New York’s strategic response to ongoing innovations in how New Yorkers pay for and deliver medical care given the shift to and adoption of digital, outpatient and in-the-home services;
  • Establishing a new capital grant fund for health care technology;
  • Reforming traveling nurse agency staffing practices to reduce health care spending and require staffing agencies to register and report operational data;
  • Expanding health care providers’ “scope of practice” by joining the Interstate Licensure Compact and the Nurse Licensure Compact; and
  • Streamlining approval processes for health care projects in New York, including the Certificate of Need process and steps to ensure that private sector health care transactions are financially sustainable and support quality and access to care objectives.

Second, Governor Hochul committed to improving access to, and the quality of, mental and behavioral health care. To achieve these goals, Governor Hochul proposed:

  • Expanding insurance coverage for mental health services by prohibiting insurance companies from denying access to medically necessary, high-need, acute, and crisis mental health services, and by adopting appointment availability and geographic accessibility standards for behavioral health services;
  • Expanding mental health services for school-aged children whose need for and access to mental health services were especially affected by pandemic-related school closures;
  • Increasing operational capacity for inpatient psychiatric treatment by 1,000 beds, including by requiring Article 28 community hospitals to make use of all of their existing beds and invest $27.5 million to support increased inpatient psych rates;
  • Improving mental health care coordination and planning by creating a system of accountability—from admission through discharge and post-acute care, including Critical Time Intervention Care Coordination Teams;
  • Dramatically expanding outpatient services with 12 new psychiatric emergency care sites and 40 new treatment teams, mobilized to reach the most at-risk New Yorkers and expanded certified community behavioral health clinics to provide walk-in integrated behavioral health care; and
  • Ensuring payment parity for behavioral health services rendered in-person or via telehealth.

Third, Governor Hochul’s administration plans to “strengthen the foundation” of New York’s health care system by:

  • Expanding Medicaid coverage for preventive health services and Medicaid’s buy-in program for New Yorkers with disabilities;
  • Protecting New Yorkers from burdensome medical debt and costs by preventing creditors’ attachment of homes and wages to secure medical debt, amending the Consumer Credit Fairness Act to cover medical debt, investing in medical debt literacy, and requiring hospitals to use a standard financial assistance application form;
  • Improving primary care by expanding access and increasing Medicaid reimbursement rates;
  • Ensuring access to high quality long-term care, including by investing in care teams to provide care for low-income adults in their home;
  • Revitalizing emergency medical services and medical transportation, including allowing EMTs to treat people out in the community; and
  • Supporting the ongoing collaboration between the Office of Addiction Services and Supports and the Department of Health in addressing the State’s substance abuse epidemic.

Finally, Governor Hochul emphasized the need for emergency preparedness. In the address, she explained how New York will prepare for future emergencies by:

  • Modernizing New York’s health reporting systems to be more secure in how it stores and transmits health data, and more efficient and effective in how it uses it;
  • Rebuilding the Wadsworth Laboratories to advance cutting edge research on biomedical and environmental issues critical to protecting the health of New Yorkers; and
  • Strengthening New York’s public health emergency readiness capacity in light of lessons learned during the COVID-19 pandemic.

The full State of the State book can be found here. Many of these proposals will be included in the Governor’s proposed budget, which is expected to be released around February 1, with final budget passage after Legislative review and negotiation around April 1.

Understanding the State’s health care policy and investment objectives is critical for health care businesses and stakeholders as they plan for and develop business goals for the year. The Firm’s Health Care team can assist with evaluating and implementing strategies to account for the forthcoming changes.

 

In recent years, there have been only a handful of corporate integrity agreements (“CIAs”) and integrity agreements (“IAs”) that have included a “conditional exclusion release” of the Office of the Inspector General for the United States Department of Health and Human Services’ (“HHS-OIG”) permissive exclusion authority under 42 U.S.C. § 1320a-7(b)(7) (“Permissive Exclusion Authority”).[1]  Inclusion of a conditional exclusion release is atypical, as HHS-OIG’s historical practice has been to provide an outright release of its Permissive Exclusion Authority in exchange for a CIA or IA.  It appears, based on an IA executed last month and the other recent CIAs and IAs, that a trend may be emerging.

Specifically, in December 2022, HHS-OIG entered into an IA with a Georgia-based physician, Aarti D. Pandya, M.D., and his practice, Aarti D. Pandya, M.D. P.C. (collectively, “Dr. Pandya”).  In atypical fashion, however, HHS-OIG required the IA to be for five years (as opposed to three years) and held Dr. Pandya to a conditional exclusion release contingent upon Dr. Pandya’s satisfactory completion of the IA (as opposed to outright providing a release of its Permissive Exclusion Authority).  This IA signals to the industry that HHS-OIG is not bound by precedent and that, perhaps, a belt and suspenders approach to resolving conduct allegedly violating the False Claims Act (“FCA”) may be emerging as HHS-OIG’s new norm.

Continue Reading Another Unique Integrity Agreement Signals a Trend towards HHS-OIG’s Comfort with a Belt and Suspenders

We previously noted that the regulations implementing the No Surprises Act (“NSA”) appeared to be inconsistent with the NSA because they seemed to establish the qualifying payment amount (“QPA”) as the appropriate payment amount to be used in arbitrations by certified IDR entities (viz. the regulation-established independent dispute resolution (“IDR”) process) between plans and providers, and that the United States District Court for the Eastern District of Texas (“Texas District Court”) vacated portions of the NSA regulations relating to the QPA for purposes of the IDR process.  The Federal government recently responded to the Texas District Court—by removing such portions of the NSA regulations.

Continue Reading The Saga of the No Surprises Act Continues to be … Surprising

The Centers for Medicare & Medicaid Services (“CMS”) recently published the proposed 2023 Physician Fee Schedule (“PFS”), which contains several important changes affecting Accountable Care Organizations (“ACOs”) that participate in the Medicare Shared Savings Program (“MSSP”), including a new Advanced Incentive Program. See Proposed 2023 PFS, 82 Fed. Reg. 45,860 (July 29, 2022).

ACOs enable health care providers to provide coordinated patient care to Medicare beneficiaries, and to share in the savings resulting from improved care. According to CMS, as of January 1, 2022, over 11 million Medicare beneficiaries receive care from 483 ACOs across the country. Id. at 46,093.

The proposed changes are intended to advance “growth, alignment, and equity,” and to “increase the percentage of people with Medicare in accountable care arrangements.” Id. at 46,093-94. Of note, and as described in a publication preceding the PFS, CMS proposed the changes to increase (i)  the number of beneficiaries assigned to MSSP ACOs; (ii) the number of higher spending populations in the program, since the change to regionally-adjusted benchmarks; and (iii) the representation of Black (or African American), Hispanic, Asian/Pacific Islander, and American Indian/Alaska Native beneficiaries assigned to MSSP ACOs, as compared to Non-Hispanic Whites.

Continue Reading CMS Aims to Grow ACO Participation

On July 20, 2022, the Office of Inspector General for the Department of Health and Human Services (“OIG”) issued a special fraud alert (“Alert”) advising “practitioners to exercise caution when entering into arrangements with purported telemedicine companies.” The Alert is only one of four such “special fraud alerts” that the OIG has issued in the past decade and it illustrates the importance of OIG’s statements.

OIG Flags Seven Characteristics of Telehealth Fraud

In the Alert, OIG cautions that certain companies that purport to provide telehealth, telemedicine, or telemarketing services (collectively, “Telemedicine Companies”) have carried out fraudulent schemes by: (i) aggressively recruiting physicians and non-physician practitioners (collectively, “Providers”) and (ii) paying kickbacks to such Providers in exchange for the ordering of unnecessary items or services, including durable medical equipment, genetic testing, and other prescription items. According to OIG, the fraudulent schemes have varied in design and operation and involved a variety of individuals, Providers, and health care vendors, including call centers, staffing companies, and marketers.

Continue Reading OIG Issues Special Fraud Alert Regarding Telemedicine Arrangements

On July 11, 2022, the Federal Trade Commission (FTC) published “Location, health, and other sensitive information: FTC committed to fully enforcing the law against illegal use and sharing of highly sensitive data,” on its Business Blog.  The blog post is likely related to an Executive Order (the “EO”) signed by President Biden in the wake of the Supreme Court’s Dobbs decision. Among other things, the EO directed the FTC to consider taking steps to protect consumers’ privacy when seeking information about and related to the provision of reproductive health care services.

While this latest drumbeat on this issue came from the FTC, we expect to see attention to this issue by other regulators, including, perhaps, the Department of Justice as well as state attorneys general.

Although the FTC post centers on location data and reproductive health services, it is likely that there will be more scrutiny of the collection and use of location data in general. This renewed focus will potentially subject a wide group of digital ecosystem participants to increased attention.  The spotlight will likely fall on interactive platforms, app publishers, software development kit (SDK) developers, data brokers and data analytics firms – over practices concerning the collection, sharing and perceived misuse of data generally.

The FTC blog post briefly explains the “opaque” world surrounding the collection of mobile location data (which the FTC asserts is often done without consumers’ full understanding) and the subsequent sharing and sale of information to data aggregators and brokers that then sell data access or data analysis products to marketers, researchers, or other businesses interested in gaining insights from alternative data sources. The post states that the misuse of mobile location and health information, including reproductive health data, “exposes consumers to significant harm.” As such, the FTC announced that it will “vigorously enforce the law if we uncover illegal conduct that exploits Americans’ location, health, or other sensitive data.”  More concrete legal requirements covering the collection and use of mobile location data may come with the passage of a bipartisan federal comprehensive privacy bill, but passage of this bill remains uncertain.

The FTC’s blog post closes with a few guidance tips on what companies should be considering when collecting or using sensitive consumer information, including location and health data:

  • Sensitive data is protected by various federal and state laws. Such laws include the FTC Act which regulates unfair and deceptive trade practices, the Children’s Online Privacy Protection Act (COPPA) and various state data privacy laws.
  • Examine claims that data “has been anonymized.” The FTC states that firms making misleading claims about anonymization in this area may violate the FTC Act, “especially in the context of location data.”
  • The agency will bring enforcement actions for misuse of consumer data. The post outlines several recent enforcement actions over misuse of sensitive consumer data, including location data.

The FTC’s blog post is just the latest in an increasing level of attention to the collection of data from mobile devices. As we’ve previously written about, the issue of location data has already garnered attention in Congress, and it would not be surprising to see some state legislatures – a number of which have already passed or considered comprehensive data privacy laws – take up the issue. Companies collecting or using mobile location data should pay close attention to developments in this area.

Fifty years of legal precedent established by Roe v. Wade, 410 U.S. 113 (1973), and Planned Parenthood of Southern Pa. v. Casey, 505 U.S. 833 (1992), were overturned in Dobbs v. Jackson Women’s Health Organization, holding that the Constitution does not confer a right to abortion and leaving abortion laws to individual states to decide. This new landscape has introduced a wave of legal questions, and among these are questions regarding the protection of personal information related to abortion and contraceptive services. In efforts to address some of these privacy questions, the Office for Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) published new guidance with respect to the Health Information Portability and Accountability Act (HIPAA) Privacy Rule (“Privacy Rule”). The new HIPAA guidance generally reminds providers about their obligations under the Privacy Rule to safeguard patients’ protected health information (“PHI”), even under many circumstances where the information has been requested by government officials or in the context of litigation. In addition, recognizing the extent to which patient information is held on patients’ personal smartphones and not protected under HIPAA (e.g., data entered into personal health apps, search history related to abortion and other reproductive care, and geolocation data), yet may be relevant under new criminal and civil state abortion laws, HHS issued supplemental guidance to consumers on how to protect and secure personal information on phones and tablets that is not otherwise protected by HIPAA.

Under the Privacy Rule, disclosure of PHI without patient authorization is permitted only in “narrow circumstances”, and disclosure of PHI to law enforcement is limited based on the facts and the nature of the requests (e.g., court-ordered warrant, subpoena, or to prevent or lessen a “serious and imminent threat to health or safety.”)[1] The Privacy Rule expressly defers to a provider’s professional judgement in determining what constitutes a “serious and imminent threat”;[2] however, per the guidance, OCR has clarified that it is “inconsistent with professional standards of ethical conduct to make such a disclosure of PHI to law enforcement or others regarding an individual’s interest, intent, or prior experience with reproductive health care.”[3] Moreover, the “narrow circumstances” for disclosure include, but are not limited to, efforts to:

  • Comply with a court order, court-ordered warrant, subpoena, summons issued by a judicial officer, or a grand jury subpoena (45 CFR 164.512(f)(1)(ii)(A)-(B);
  • Respond to an administrative request[4] ((45 CFR 164.512(f)(1)(ii)(C));
  • Report PHI that a covered entity in good faith believes to be evidence of a crime that occurred on the covered entity’s premises (45 CFR 164.512(f)(5));
  • Respond to a request for PHI about a victim of a crime, and the victim agrees (45 CFR 164.512(f)(3)); and
  • Report PHI to law enforcement when required by law to do so (45 CFR 164.512(f)(1)(i)).

Thus, absent a court order, the Privacy Rule’s exceptions to disclose PHI for law enforcement purposes do not permit disclosure to law enforcement where a hospital or health care provider wishes to report an individual’s abortion or other reproductive health care. Thus, a hospital employee who suspects a patient of having an abortion in a state where it is illegal cannot report the planned abortion to law enforcement unless a state law specifically requires such reporting. HHS clarifies that a statement indicating an individual’s intent to get a legal abortion, or any other care tied to pregnancy loss, ectopic pregnancy, or other complications related to or involving a pregnancy does not qualify as a “serious and imminent threat to the health and safety” of a person or the public.[5] Disclosing such information to law enforcement under such circumstances would be impermissible and would constitute a breach of unsecured PHI, requiring notification to HHS and the individual affected.[6]

And, while the Privacy Rule generally does not protect the privacy or security of an individual’s health information when it is accessed through or stored on a personal cell phone or tablet, guidance released last week by HHS outlined how individuals can protect themselves. The Privacy Rule only applies when PHI is created, received, maintained, or transmitted by covered entities and business associates (e.g., health care providers and health insurers), and does not extend to protecting the privacy of an individual’s Internet search history, any information that one voluntarily shares online, or an individual’s geographic location information. Consequently, the guidance sheds light on the ways one can protect their digital footprint and decrease how devices collect and share health and personal information.

Moreover, in response to the Dobbs decision and increasing concerns that personal data will be used to incriminate people seeking abortions, Sen. Elizabeth Warren, supported by a slate of five Democratic senators, proposed the passing of the Health and Location Protection Act to bar “data brokers from selling or transferring location data and health data.” If approved, the bill would permit the Federal Trade Commission and states’ attorneys general to sue brokers found to be in violation of the law. Notably, the legislation would include exceptions for compliance with HIPAA.

The legislative and regulatory landscape addressing abortion and reproductive health services is certain to change in the near future as states respond to the Dobbs decision. As granted by Dobbs, states will now have the authority to enforce their own abortion rules, which creates an opportunity for widely varying state statutes, penalties, exceptions, circumstances, and a variety of other consequences across the country. Health care providers that provide a full spectrum of women’s health care services, including abortion, will need to review their policies and procedures to ensure compliance with state laws and to understand how the Dobbs decision affects the care they can provide to patients. Providers should be familiar with the new guidance to verify the circumstances under which HIPAA permits the disclosure of PHI without patient authorization.

Proskauer is available to assist with addressing the short- and long-term implications of the Dobbs decision in the wake of forthcoming regulatory changes.

[1] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html

[2] https://www.hhs.gov/hipaa/for-professionals/faq/3002/what-constitutes-serious-imminent-threat-that-would-permit-health-care-provider-disclose-phi-to-prevent-harm-patient-public-without-patients-authorization-permission/index.html

[3] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html

[4] Provided that: the information sought is relevant and material to a legitimate law enforcement inquiry; the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and de-identified information could not reasonably be used.

[5] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html

[6] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html