Digital health companies, investors, and other healthcare organizations should follow policy developments with a strategic lens towards their market opportunities for key potential growth and risk mitigation. On a quarterly basis, we provide relevant legislative and regulatory updates on artificial intelligence (AI) and digital health policy developments.
Judicial Updates
- Supreme Court Overturns Chevron Doctrine (June 28, 2024)
- The U.S. Supreme Court issued a 6-3 ruling overturning a landmark 1984 decision in Chevron v. Natural Resources Defense Council, effectively reducing the power of federal agencies and transferring power to Congress and the courts. Under the Chevron doctrine, if Congress has not directly addressed the question at the center of a dispute, a court was required to give deference to federal agencies’ interpretation of an ambiguous law and to uphold a federal agency’s interpretation of the statute as long as it was reasonable.
- Why it matters for you: This ruling could have substantial implications for federal agency rulemaking, including by the Department of Health and Human Service (HHS). Specifically, it may limit agencies’ ability to provide clarifications in regulations and may subject agency policies to legal challenges. This will also lead to greater uncertainty and risk for healthcare entities and health technology companies.
- Texas District Court Vacates OCR’s HIPAA Guidance on Online Tracking Technologies (June 20, 2024)
- The U.S. District Court for the Northern District of Texas (the Court) ordered the HHS Office for Civil Rights (OCR) to vacate part of its guidance that had restricted Health Insurance Portability and Accountability Act of 1996 (HIPAA)-covered entities’ use of third-party online tracking technologies. In December 2022, OCR published guidance stating that regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of protected health information (PHI) to tracking technology vendors. In addition, the guidance appeared to expand the definition of individually identifiable health information (IIHI), of which PHI is a subset, by providing examples of actions that trigger HIPAA obligations. At the heart of this case was OCR’s example where an online technology connects an individual’s IP address with a visit to a covered entity’s unauthenticated public webpage (UPW) that addresses specific health conditions or healthcare providers.
In response to this guidance and particularly the aforementioned example, the American Hospital Association (AHA) and other provider groups challenged the guidance, stating that OCR exceeded its statutory authority and thus failed to satisfy the requirements for agency rulemaking when it seemingly expanded the definition of IIHI by publishing this guidance. Before the judgment was released, OCR issued on March 18 revised guidance that contains softened language compared to the original guidance and states that its policy does not “have the force and effect of law” and is “not meant to bind the public in any way.”
In its ruling, the Court held that OCR exceeded its authority by redefining what is considered IIHI under HIPAA and ordered that the OCR guidance be vacated to the extent it provides that HIPAA obligations are triggered in circumstances where an online technology connects an individual’s IP address with a visit to an UPW addressing specific health conditions or healthcare providers. According to the Court, this information only becomes IIHI if the visitor’s motive is related to the visitor’s health, which is an “unknowable subjective-intent element” that is not included in the data transmission.
- Why it matters for you: Regulated entities should remain cautious about implementing tracking technologies on their UPWs and should evaluate whether any data disclosed as a result of such tracking technologies qualifies as PHI and may therefore trigger HIPAA requirements. They should also be aware that the federal government, including OCR and the Federal Trade Commission (FTC), continues to issue policy and bring enforcement action against companies that handle individuals’ health data.
Executive Branch and Federal Agency Updates
- HHS Issues Final Rule Establishing Disincentives for Health Care Providers That Have Committed Information Blocking (June 24, 2024)
- The Department of Health and Human Services (HHS) released a final rule (the Disincentives Final Rule) that establishes disincentives for certain healthcare providers that have committed information blocking and provides information related to the HHS Office of the Inspector General’s (OIG’s) investigation of claims of information blocking and referral of such a healthcare provider to an appropriate agency to be subject to appropriate disincentives. Information blocking occurs when a healthcare provider knowingly engages in a practice that unreasonably and likely interferes with, prevents, or materially discourages the access, exchange, or use of electronic health information, unless otherwise required by law or covered by an exception.
The Disincentives Final Rule is effective 30 days after publication in the Federal Register. It establishes the following provisions:
- Medicare Promoting Interoperability Program for Eligible Hospitals and Critical Access Hospitals (CAHs): A determination of information blocking by an eligible hospital or CAH that OIG refers to the Centers for Medicare & Medicaid Services (CMS) would result in the eligible hospital or CAH not being a meaningful electronic health record (EHR) user in an applicable EHR reporting period. An eligible hospital would lose 75% of the annual market basket increase, while a CAH subject to the disincentive would have payments reduced to 100% of reasonable costs instead of the 101% of reasonable costs associated with successful participation.
- Promoting Interoperability Performance Category of Medicare Merit-based Incentive Payment System (MIPS): A determination of information blocking by an eligible clinician would result in the eligible clinician not being a meaningful user of certified EHR technology in a performance period and therefore receiving a zero score in the Promoting Interoperability performance category of the Medicare MIPS, typically a quarter of the total MIPS score.
- Medicare Shared Savings Program: A determination of information blocking would result in a healthcare provider that is an accountable care organization (ACO), ACO participant, or ACO provider/supplier being deemed ineligible to participate as, or in, an ACO for at least one year. This disincentive will be effective 30 days after publication of the final rule; however, any disincentive under the Shared Savings Program would be imposed after January 1, 2025.
- Why it matters for you: Information blocking disincentives directly impact Medicare-enrolled healthcare providers or suppliers including hospitals, CAHs, MIPS-eligible clinicians, and ACOs. Such healthcare providers should develop and/or review the establishment of transparent and non-discriminatory organizational policies and data governance frameworks to comply with information blocking regulations. HHS has also stated it may establish additional disincentives through future rulemaking.
The Disincentives Final Rule complements a June 2023 OIG Final Rule that established a civil monetary penalty for non-healthcare providers (including health information technology (IT) developers of certified health IT or other entities offering certified health IT and health information exchanges and networks) of up to $1 million per violation if OIG determines that any of these individuals or entities committed information blocking (see our client alert here).
- FDA Publishes Blog on AI in Health Care and Medical Device Development (June 17, 2024)
- Troy Tazbaz, the Director of the Digital Health Center of Excellence at the U.S. Food and Drug Administration (FDA), published a blog outlining FDA’s areas of focus when regulating AI technologies in health care. In order to reduce risk, Tazbaz highlights the importance of standards and best practices for the AI development lifecycle. Specific to device safety, he recommends that medical device manufacturers and health technology developers perform continuous monitoring before, during, and after deployment to help ensure that quality assurance is applied across the lifecycle of an AI model’s development and use in health care. FDA plans to address in future publications additional considerations for the use of AI in medical devices, including standards, best practices, and operational tools; quality assurance laboratories; transparency and accountability; and risk management for AI models in health care.
- Why it matters for you: FDA has a key role to play in the safe use of AI-enabled health technology and use of AI to develop health care products. Health technology developers that are leveraging AI and users of these tools should make sure to implement quality assurance protocols. They should also expect to see additional FDA guidance and publications that address AI in health care.
- CMS Announces Application Period for the Innovation in Behavioral Health Model (June 17, 2024)
- The Centers for Medicare and Medicaid Services (CMS) announced the release of the Notice of Funding Opportunity (NOFO) application for the Innovation in Behavioral Health (IBH) Model. The IBH Model aims to improve the quality of care and health outcomes for people with moderate to severe behavioral health conditions, including mental health conditions and/or substance use disorders. It aims to address gaps between behavioral and physical health by enabling specialty behavioral health practices to integrate behavioral health with physical health care and health-related social needs. The IBH Model is a state-based model, led by state Medicaid agencies (SMAs), with a goal of aligning payment between Medicaid and Medicare for integrated care. The model will launch in the last quarter of 2024 and run for eight years.
- Why it matters for you: The IBH Model is the first comprehensive behavioral health payment model for CMS intended to drive enhanced quality and outcomes, increase access to whole person care, and strengthen IT systems’ capacity. SMAs and others interested in applying to the IBH Model can access the NOFO here. Eligible applicants include all 50 states, Washington DC, and U.S. territories. CMS will hold a webinar on the IBH Model NOFO on July 11, 2024 (register here). CMS states that award notices will be issued to selected SMAs in mid-December.
- White House Hosts AI Aspirations Event, Highlights AI in Drug Development (June 13, 2024)
- The White House convened leaders from federal agencies, companies and academia to discuss the federal government’s research efforts for AI applications in public sector contexts, including in health care. Participants discussed the Administration’s plans to leverage AI systems to support public sector capabilities, and highlighted research and development efforts for application in seven different sectors, including drug discovery. Wade Shen, Director for Proactive Health at Advanced Research Projects Agency for Health (ARPA-H), discussed using AI to develop new medicines for diseases and highlighted the importance of using high-quality data and preventing exacerbating inequities and bias.
- Why it matters for you: The White House AI Aspirations event demonstrates that the Administration is taking a whole-of-government approach (and including the private sector) to better understand the risks and policy guardrails needed to guide AI innovation. Additional information about AI Aspirations is available here.
- ARPA-H Announces UPGRADE Program to Support Healthcare Facilities’ Cybersecurity (May 20, 2024)
- ARPA-H announced the launch of the Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) program, a cybersecurity effort that will invest more than $50 million to create tools for information technology (IT) teams to ensure cybersecurity in hospitals. The UPGRADE program envisions an autonomous cyber-threat solution that enables proactive, scalable, and synchronized security updates in order to protect hospital operations and keep devices secured. Specifically, it will seek to address an existing gap in digital health security and to enable proactive evaluation of potential vulnerabilities by probing models of digital hospital environments for weaknesses in software. ARPA-H states that, through a forthcoming solicitation, UPGRADE will seek performer teams to submit proposals on four technical areas: (1) creating a vulnerability mitigation software platform; (2) developing high-fidelity digital twins of hospital equipment; (3) auto-detecting vulnerabilities; and (4) auto-developing custom defenses. It anticipates rewarding multiple awards to organizations.
- Why it matters for you: Equipment manufacturers, cybersecurity experts, and hospital IT staff, among other stakeholders interested in learning about UPGRADE should read more about the program here.
- HHS Applies Discrimination Prohibitions to Use of Automated and Non-Automated Patient Care Decision Support Tools (May 6, 2024)
- The Department of Health and Human Services (HHS) published a final rule (the 1557 Final Rule) to implement Section 1557 of the Affordable Care Act, which prohibits discrimination on the basis of race, color, national origin, age, disability, or sex, in covered health programs or activities. The 1557 Final Rule prohibits covered entities that receive HHS funding or that are administered by HHS and insurers that receive federal financial assistance (i.e. pharmacies, hospitals, health clinics, health insurance issuers, state Medicaid agencies, community health centers, physicians’ practices, and home health care agencies) to refuse to treat or to otherwise discriminate against an individual on the basis of their race, color, national origin, sex (i.e. sexual orientation, gender identity, sex characteristics including intersex traits, pregnancy or related conditions, and sex stereotypes), age, or disability. This applies to covered entities’ use of “patient care decision support tools,” which includes AI, clinical algorithms, and non-automated decision-making tools. Specifically, the 1557 Final Rule imposes an ongoing responsibility on covered providers to identify their use of patient care decision support tools that directly measure race, color, national origin, sex, age, or disability and to make reasonable efforts to mitigate the risk of discrimination from their use of these tools. Any violations of the Final Rule will be evaluated on a case-by-case basis and may consider factors such as: (1) the covered provider’s size and resources; (2) whether the covered provider used tools in a manner intended by the developer and approved by regulators, (3) whether the covered provider received product information from the tool’s developer regarding variables that may lead to discrimination, and (4) whether the covered provider has a process in place for evaluating patient care decision support tools. For more information on the 1557 Final Rule, see our client alert here.
- Why it matters for you: By March 3, 2025, covered entities must establish and implement policies and procedures to (1) identify if they use patient care decision support tools, (2) assess whether these tools use variables that measure race, color, national origin, sex, age, or disability, and (3) to the extent they are able to make that determination, implement safeguards to mitigate against any discrimination. Technology companies that make these tools should consider how to support their customers’ compliance needs.
- HHS Releases Plan for Promoting Responsible Use of AI by State, Local, Tribal, and Territorial Governments in the Administration of Public Benefits (April 29, 2024)
- HHS publicly shared its plan (the Plan) addressing the use of automated or algorithmic systems in the implementation and administration of HHS-funded public benefits programs and services provided by state, tribal, local, and/or territorial government entities (STLTs). The Plan provides recommendations to balance opportunities and risks in using AI systems and to outline use cases and best practices for use of AI in local settings. The Plan also identified key areas of concern, including privacy, safety, security, the potential for bias, and fraud, and emphasized the importance of equitable development and use of AI. This Plan was published in response to Executive Order (EO) 14110, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence.”
- Why it matters for you: Stakeholders developing and implanting AI-enabled tools may be interested in the Plan because it provides recommendations to STLTs and their technology vendors for how they should choose, procure, design, govern, and manage AI in the administration of public benefits and services. Additionally, since the AI EO was issued, federal departments and agencies have been working to develop deliverables that have upcoming implementation deadlines. We expect that in the coming months HHS will release additional deliverables, as required by the EO, including an AI quality strategy, AI safety program, and strategy for regulating use of AI in drug development.
- FTC Releases Updated Health Breach Notification Final Rule (April 26, 2024)
- The Federal Trade Commission (FTC) finalized changes to the Health Breach Notification Rule (HBNR), clarifying its applicability to health apps and other similar technologies not covered by the Health Insurance Portability and Accountability Act (HIPAA). The HBNR Final Rule, which largely finalizes changes proposed in the May 2023 Notice of Proposed Rulemaking (NPRM), broadens the scope of entities subject to the HBNR, and clarifies that breaches subject to the HBNR include not only cybersecurity intrusions but also unauthorized disclosures (even those that are voluntary). It will take effect July 29, 2024. For additional information on the HBNR Final Rule, see our client alert here.
- Why it matters for you: The HBNR Final Rule comes on the heels of a number of recent enforcement actions against companies that handled health data, which have signaled a greater regulatory and enforcement focus on the privacy and security practices of health apps and similar technologies. It is the culmination of the FTC’s efforts in the last several years to broaden the scope of the HBNR and has significant implications for digital health companies. Entities that hold health data and are not subject to HIPAA should carefully review the HBNR Final Rule to determine if they are covered and review policies and practices to comply with the new regulations.
- HHS Issues Final Rule to Support Reproductive Health Care Privacy Under HIPAA (April 22, 2024)
- The HHS Office for Civil Rights (OCR) issued a final rule (HIPAA Final Rule) to modify the HIPAA Privacy Rule to support reproductive health care privacy by prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain circumstances. The HIPAA Final Rule aims to address new privacy issues that have resulted in the wake of the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization (Dobbs) and finalizes provisions prohibiting covered entities and business associates from using or disclosing PHI to investigate or impose liability on any person for the “mere act” of seeking, obtaining, providing, or facilitating lawful reproductive health care, or to identify any person for such purposes. The HIPAA Final Rule is effective since June 25, 2024, but covered entities and business associates will have until December 23, 2024 to comply with most of the its provisions. For additional information on the HIPAA Final Rule, see our client alert here.
- Why it matters for you: The HIPAA Final Rule should have significant implications for patients, providers and other regulated entities that maintain information related to reproductive health care. Covered entities must now be aware of when information requests implicate reproductive health care as such requests may trigger the New Prohibition and other requirements under the Final Rule.
- ONC Releases Common Agreement Version 2.0 (April 22, 2024)
- The Office of the National Coordinator for Health Information Technology (ONC), in coordination with the Recognized Coordinating Entity (RCE), The Sequoia Project, Inc., released Common Agreement Version 2.0 (CA v2.0), which includes an updated version of the Participant/Subparticipant Terms of Participation (ToP). Earlier this year, the RCE released and requested public feedback on several new and updated draft Trusted Exchange Framework and Common Agreement (TEFCA) materials. These materials include: (1) draft CA v2.0; (2) the QHIN Technical Framework (QTF) Version 2.0; (3) Participant/Subparticipant ToP; and (4) various Standard Operating Procedures (SOPs) documents. HHS states that the seven designated Qualified Health Information Networks (QHINs) under the TEFCA can now adopt and begin implementing the new version.
Additionally, ONC has been working to incorporate the comments on the SOP documents it received during the public feedback period and released a number of updated documents on July 1 (see here). The SOPs are written procedures adopted pursuant to the Common Agreement and incorporated by reference into a Framework Agreement to provide detailed information or requirements related to TEFCA Exchange.
- Why it matters for you: ONC has led a multi-year, public-private process in collaboration with The Sequoia Project to implement TEFCA, which is intended to make data sharing more efficient, secure, and move the industry toward greater interoperability. ONC’s release of CA v2.0 marks another major milestone in the federal government’s initiative to enable nationwide health data exchange. While this is a voluntary program, HHS is invested in its success and is providing incentives to use TEFCA via regulation. We anticipate more TEFCA guidance in the near future.
- AHRQ Outlines Principles and Recommendations to Advance Digital Healthcare Equity (April 18, 2024)
- The HHS Agency for Healthcare Research and Quality (AHRQ) issued the Digital Healthcare Equity Framework(the Framework) to guide users and stakeholders to consider equity throughout the entire lifecycle when implementing digital healthcare solutions. AHRQ also released a separate implementation guide (the Guide) to outline best practices and examples to implement the Framework. The Framework and Guide provides to a variety of stakeholders, including digital healthcare developers and vendors, health systems, health plans, and clinical providers, recommendations to assess equity during each phase of the digital healthcare lifecycle.
- Why it matters for you: The Framework is designed as a tool to help users and other stakeholders intentionally consider equity during each phase of the digital healthcare lifecycle while the Guide provides a step-by-step path for stakeholders who want to implement the Framework. Both publications provide helpful resources to support various stakeholders when developing and implementing digital health technologies. They demonstrate HHS’ action to further encourage adoption of digital health technologies as well as the Administration’s government-wide goal to integrate health equity by design.
- ONC HITAC Convenes Panelists of Experts in AI Hearing (April 11, 2024)
- On April 11, 2024, the ONC Health Information Technology Advisory Committee (HITAC) held a hearing to discuss priorities related to the development, deployment, ongoing monitoring and post-market surveillance of AI-enabled systems and tools in the health and human services sector. The panels included representatives from federal agencies, health systems, plans and other healthcare stakeholders. Notably, the panel discussed ongoing work to operationalize the AI Executive Order and focused the discussion on the predictive and generative AI-enabled technologies in healthcare delivery. Additional discussions addressed the following topics: potential federal regulation of AI-enabled tools in health care; secondary use of data; and data transparency, quality and safety policy guardrails.
- Why it matters for you: ONC’s recent HITAC meeting and hearing on AI provides helpful insight on federal agencies’ interest and continued work to establish policy guardrails regulating health AI systems and tools. Health IT developers and other interested parties should continue to monitor health AI-related government meetings and proposals as it may provide insight on forthcoming proposed regulations. It also provides insight on the practices of some health systems that are leaders of AI deployment.
- FTC Announces Enforcement Actions Against Companies for Health Data Privacy Violations (April 2024)
- During April 2024, the FTC announced two separate enforcement actions against Monument Inc., and Cerebral Inc. Both enforcement actions state that companies participated in deceptive and unfair acts or practices in violation of Section 5 of the FTC Act. Companies were also charged with violating Section 8023 of the Opioid Addiction Recovery Fraud Prevention Act of 2018 (OARFPA), a statute that prohibits deceptive acts or practices with respect to any substance use disorder (SUD) treatment service or product.
- Monument, Inc.: On April 11, 2024, the FTC announced an enforcement action against Monument Inc. for allegedly disclosing users’ personal health data to third-party advertising platforms for advertising without consumer consent. According to the FTC’s complaint, Monument disclosed its users’ health information, including highly sensitive data, despite promising that its services are “100% confidential” and “HIPAA compliant.” In the proposed order, the FTC proposes banning Monument from disclosing health information for advertising and must obtain users’ affirmative consent before sharing health information with third parties for any other purpose. It also imposes a $2.5 million civil penalty for violating OARFPA, which will be suspended due to the company’s inability to pay, and requires Monument to implement a comprehensive privacy program.
- Cerebral, Inc.: On April 15, 2024, the FTC announced an enforcement action against Cerebral, Inc., for repeatedly breaking privacy promises to consumers and misleading them about the company’s cancellation policies. According to the complaint, Cerebral and its former CEO, Kyle Robertson, failed to deploy adequate safeguards for the sensitive data collected from consumers and engaged in inadequate security practices. In the proposed order, the FTC orders Cerebral to pay nearly $5.1 million, which will be used to provide partial refunds to consumers impacted by its deceptive cancellation practices and a $10 million civil penalty, which will be suspended after a $2 million penalty payment due to the company’s inability to pay the full amount. It also bans Cerebral from using or disclosing consumers’ personal and health information to third parties for most marketing or advertising purposes in addition to prohibiting Cerebral from misrepresenting any negative option and cancellation policies or practices.
- Why it matters for you: Stakeholders should continue to follow developments in FTC enforcement and policy activity related to health data privacy. As demonstrated by recent enforcement actions, the FTC continues to focus on tracking technologies and sensitive health data, specifically related to SUD and mental health treatments.
- ONC Releases Health Equity by Design Plan for Health IT (April 11, 2024)
- ONC released for public feedback a white paper outlining ONC’s approach for Health Equity by Design (HEBD) entitled, “Advancing Health Equity by Design and Health Information Technology: Proposed Approach, Invitation for Public Input, and Call to Action” (ONC Health Equity White Paper). ONC envisions HEBD as a systematic approach in which health equity is considered at each phase of health IT system design and at every stage of policy and implementation to help mitigate widespread inequities in health and care systems. Specifically, it focuses on leveraging an HEBD approach as it relates to health IT data standards, health IT certification, electronic health data exchange, coordination of health IT-related activities, and measurement and monitoring of health inequities in health IT-related activities. The ONC Health Equity White Paper provides a summary of actions ONC has taken to advance equity and highlights the potential harm that AI and clinical decision support tools can play in perpetuating bias. ONC included specific questions for public input (including questions on how organizations integrate health equity and their priorities to address barriers and advance equity) and accepted comments through June 10.
- Why it matters for you: ONC calls upon private and public-sector health stakeholders to apply an HEBD approach and to integrate health equity as a core principle now when designing, building, and implementing health IT policies and health IT systems and uses. Stakeholders that develop and implement health IT should review the ONC Health Equity White Paper and note ONC’s efforts to integrate the HEBD approach in its policies.
- CMS Announces Behavioral Health Strategy (April 2, 2024)
- CMS released the CMS Behavioral Health Strategy to outline areas of focus to ensure that high-quality behavioral health services and supports are accessible to CMS beneficiaries and consumers. The CMS Behavioral Health Strategy focuses on three key areas: (1) substance use disorders (SUDs) prevention, treatment and recovery services; (2) ensuring effective pain treatment and management; and (3) improving mental health care and services. These areas are aligned with CMS’s overall focus on four health outcomes-based domains: coverage and access to care, quality of care, equity and engagement, and data and analytics.
- Why it matters for you: The updated CMS Behavioral Health Strategy follows a series of announcements and publications (e.g., the HHS Roadmap for Behavioral Health Integration, theHHS Overdose Prevention Strategy, and the HHS Pain Management Task Force Report) in recent years to bolster federal support for behavioral health services. Stakeholders that leverage digital health technologies to improve healthcare delivery for behavioral health and SUD patients should be aware of CMS’ efforts to overcome barriers to behavioral health care and to address the national mental health and SUD crises.
U.S. Federal/State Legislative Updates
- House Lawmakers Issue RFI on Cures 2.0 Implementation (June 6, 2024)
- Representatives Diana DeGette (D-CO) and Larry Bucshon (R-IN) issued a request for information (RFI) to healthcare stakeholders about policies related to the 21stCentury Cures Act and Cures 2.0 legislation that Congress can enact to bring about the next generation of treatments and to support transformative health care improvements. The RFI includes the following questions:
- Do the policies included in Cures 2.0 that have advanced through legislation or executive action meet the needs that the original Cures 2.0 bill aimed to address?
- What elements might be missing that are essential for further progress?
- What additional reforms, support mechanisms, or incentives are needed to enhance or improve the effectiveness of the steps already taken, including any structural reform to agencies, offices, or programs involved?
- Why it matters for you: To respond to the RFI, stakeholders should submit responses to rfi@mail.house.gov by close of business on August 2, 2024. It is important to provide feedback; however, it is unlikely that Cures 2.0 legislation will move this year.
- Colorado Enacts AI Consumer Privacy Law (May 17, 2024)
- Colorado Governor Jared Polis signed SB205, Consumer Protections for Interactions with Artificial Intelligence (the Colorado AI Act), into law. The Colorado AI Act establishes requirements relating to transparency and preventing algorithmic discrimination and requiring differing obligations for developers and deployers when implementing AI technologies. As outlined in our client alert, it creates a rebuttable presumption, for both deployers and developers, that reasonable care was used if they meet specific requirements and disclose key information about high-risk AI systems. Developers, deployers and companies using “high-risk AI systems” that conduct business in Colorado must adhere to the law’s requirements. It will take effect on February 1, 2026.
- Why it matters for you: The Colorado AI Act marks a significant state-level development in AI regulation. Stakeholders located in and/or conducting business in Colorado should evaluate the impact of the law on the development and implementation of AI-enabled technologies. We have seen a slew of recent state-level legislative activity with respect to comprehensive AI bills across various states, including in Utah. The latest regulations recently passed in Utah and Colorado have focused on broader consumer protection objectives in the use of AI.
- Senate AI Working Group Releases AI Roadmap (May 15, 2024)
- The Bipartisan Senate AI Working Group, comprised of Senate Majority Leader Chuck Schumer (D-NY), Senator Mike Rounds (R-SD), Senator Martin Heinrich (D-NM), and Senator Todd Young (R-IN), released a policy roadmap (the Roadmap) to outline an overarching policy framework to regulate AI across industries; identify areas of consideration for Congressional committees; and help to stimulate consideration of bipartisan AI legislation. The development of the Roadmap involved a number of educational briefings and forums that focused on ensuring innovative and ethical use of AI technologies. The Roadmap outlines the following key policy priorities: support innovation and investment in research and development; train the AI workforce; address high impact uses of AI; address privacy and liability risks; address transparency, explainability, intellectual property, and copyright; safeguard against AI risks; and ensure national security.
Specific to the healthcare sector, the Roadmap states that AI tools are being used in health care services. It outlines to the committees of jurisdiction in health care the following areas for consideration:
- Consider legislation that both supports further deployment of AI in health care and implements appropriate guardrails and safety measures to protect patients, including consumer protection; preventing fraud and abuse; and promoting the usage of accurate and representative data.
- Support the National Institutes of Health (NIH) in the development and improvement of AI technologies.
- Ensure that HHS and federal agencies (i.e., FDA and ONC) have the proper tools to weigh the benefits and risks of AI-enabled products so that it can provide a predictable regulatory structure for product developers.
- Consider legislation that would provide transparency for providers and the public about the use of AI in medical products and clinical support services, including the data used to train the AI models.
- Consider policies to promote innovation of AI systems that meaningfully improve health outcomes and efficiencies in health care delivery, including. This should include examining the CMS’ reimbursement mechanisms and guardrails to ensure accountability, appropriate use, and broad application of AI across populations.
- Why it matters for you: The release of the Roadmap is part of a larger Congressional effort to discuss the benefits and dangers of AI, including in clinical and healthcare settings, and may lead to the development of comprehensive AI legislation. Notably, the policy recommendations included in the Roadmap have bipartisan support. The Senate will need the cooperation of the House of Representatives to enact AI legislation. Earlier this year, the House launched a bipartisan AI task force to develop its own policy proposals. Stakeholders that develop and use AI-enabled technology should keep apprised of additional AI-related Congressional action.
Upcoming Policy Developments
In the coming months, we are watching out for the following policy updates from the Administration.
- The Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability Proposed Rule (HTI-2): The HTI-2 Proposed Rule is under review by the Office of Management and Budget (OMB). ONC has stated that the HTI-2 Proposed Rule will propose new standards to enable interoperability; establish certification requirements for APIs focused on use cases such as electronic prior authorization (ePA), patient engagement, care management, and care coordination; address information blocking; and bolster public health data infrastructure.
- Hospital Inpatient Prospective Payment Systems (IPPS) for Acute Care Hospitals; the Long-Term Care Hospital Prospective Payment System; and Fiscal Year (FY) 2025 Rates (CMS-1808): This annual CMS rule revises the Medicare hospital inpatient and long-term care hospital prospective payment systems for operating and capital-related costs. In addition, the rule proposes to establish new requirements or revise existing requirements for quality reporting by specific Medicare providers (e.g., the Medicare Promoting Interoperability Program). CMS released the FY 2025 IPPS Proposed Rule on May 5, 2024.
- Calendar Year (CY) 2025 Hospital Outpatient PPS (OPPS) Policy Changes and Payment Rates and Ambulatory Surgical Center Payment System Policy Changes and Payment Rates (CMS-1809): This annual CMS rule revises the Medicare hospital outpatient prospective payment system to implement statutory requirements and describes changes to the amounts and factors used to determine payment rates for services.
- CY 2025 Revisions to Payment Policies Under the Physician Fee Schedule (PFS) and Other Revisions to Medicare Part B (CMS-1807): This annual CMS rule revises payment polices under the Medicare physician fee schedule and makes other policy changes to payment under Medicare Part B. These changes would apply to services furnished beginning January 1, 2025.
Crowell Health Solutions is a strategic consulting firm focused on helping clients to pursue and deliver innovative alternatives to the traditional approaches of providing and paying for health care, including through digital health, health equity, and value-based care. We provide this monthly update on AI and digital health policy issues for health care stakeholders and innovators. Follow Crowell Health Solutions’ Trends in Transformation blog for the latest updates and in-depth analysis.
For further information, please contact:
Jodi G. Daniel, Partner, Crowell & Moring
jdaniel@crowell.com