Gov. Shapiro Signs Fair Contracting for Healthcare Practitioners Act Into Law

On July 17, 2024, Pennsylvania Governor Josh Shapiro signed the Fair Contracting for Health Care Practitioners Act into law, which will become effective as of January 1, 2025 (click here see the full bill). Any noncompete covenants that are greater than one year in length in an employment agreement for a healthcare provider, entered into after the effective date, are void and unenforceable. The exception that allows for noncompete covenants that are one year in length or less only applies to situations where the healthcare provider departs on their own volition; if a healthcare provider is terminated or dismissed by the employer, the noncompete covenant is not enforceable.

Employers are still authorized to recover reasonable expenses from a healthcare provider for expenses “related to the relocation, training, and establishment of a patient base,” but these expenses can only be recovered if the healthcare provider left on his or her own volition and was not terminated or dismissed by the employer.  

Additionally, any noncompete covenants related to the sale of an ownership interest or the sale of all or substantially all of the assets of a practice are not subject to the restrictions in this Act. If a provider is not a party to the sale, however, the noncompete agreement is void and unenforceable. This exception only applies to those with ownership interests in a practice.

Per the Act, the Health Care Cost Containment Council will perform a study of the effects of this Act within three years following its effective date and will report its findings back to the State Senate’s and State House’s Health and Human Services Committees.

Medicare Proposed 2025 Telehealth Changes

CMS proposed several telehealth changes in the 2025 Medicare Physician Fee Schedule Proposed Rule, issued July 10, 2024. 

Interactive Telecommunication

Beginning January 1, 2025, an interactive telecommunication system may include two-way, real-time audio-only communication technology for any telehealth service furnished to a beneficiary in their home, if the distant site physician or practitioner is technically capable of using an interactive telecommunication system but the patient is not capable of, or does not consent to, the use of video technology.

Distant Site Address

CMS will continue to permit the distant site practitioner to use their currently enrolled practice location instead of their home address when providing telehealth services from their home. 

Direct Supervision

CMS is proposing to adopt, for a certain subset of services that are required to be furnished under direct supervision of a physician or other supervising practitioner, to permanently adopt the definition of direct supervision that allows the physician or supervising practitioner to provide such supervision through real-time audio and visual interactive telecommunications.  CMS is specifically proposing that the physician or supervising practitioner may provide such virtual direct supervision for services furnished incident to a physician service when they are provided by auxiliary personnel employed by the physician and working under his or her direct supervision. 

CMS has also proposed that “immediate availability” for purposes of direct supervision for all other services will include real-time audio and visual interactive communications only through December 31, 2025.

Non-Compete Ban Updates: FTC Rule Challenges & Pennsylvania Healthcare Legislation

Challenges to the FTC Rule

As we previously discussed on Med Law Blog, following the FTC’s approval of the final rule to ban non-compete agreements for for-profit businesses in April, several businesses have challenged the FTC’s authority to enforce this rule. The final rule is set to take effect on September 4, 2024, but in light of the number of challenges still pending, it’s unclear as to whether the FTC’s rule will remain intact. In one such challenge in the Northern District of Texas, the federal judge issued a preliminary injunction on July 3, 2024, that stays this ban for the named plaintiffs in the case, who were Ryan LLC, the Chamber of Commerce of the United States of America, Business Roundtable, the Texas Association of Business, and the Longview Chamber of Commerce. On or before August 30, 2024, the court intends to rule on the merits of the legal challenge that seeks to invalidate the rule for businesses nationwide.

In a separate challenge to the FTC’s rule in the Eastern District of Pennsylvania, ATS Tree Services, LLC claims that the FTC has exceeded its authority beyond what Congress intended. ATS provides tree removal services and firewood sales in Pennsylvania. To be able to effectively provide these services, ATS invests in its employees by offering specialized training in tree care skills. ATS employees sign a non-compete agreement, in exchange for receiving such training, that restricts an employee from directly competing with ATS for one-year following the employee’s termination of employment. According to ATS, by removing the ability to enforce these non-compete agreements, ATS risks losing these employees to competitors after investing a significant amount of time and financial resources, which could jeopardize its business. The motion for a preliminary injunction is still pending in this case, and a decision is expected to be issued on or before July 23, 2024.

Pennsylvania Healthcare Legislation Update

On a separate but related topic specific to healthcare providers in Pennsylvania, the Pennsylvania House of Representatives passed a ban for healthcare non-compete agreements in April, as we previously discussed. This bill, as passed by the Pennsylvania House, will be effective immediately for new restrictive covenants following a provider’s current license renewal. The bill was amended in the Pennsylvania Senate on July 10, 2024, and is currently under review by the Pennsylvania Senate’s Appropriations Committee. We will continue to monitor as this bill progresses through the legislative process, and we will update on this blog as further updates become available.

UPMC/Washington Health System Merger Agreement Limits Non-Competes

The Press has announced that the Merger Agreement between UPMC and Washington Health System was approved by the Pennsylvania Attorney General with certain conditions, one of which was that UPMC would honor existing employment contracts and not impose restrictive covenants or non-compete agreements more restrictive than those that currently exist.

We will be researching that further and will provide whatever information we discover.

Navigating HIPAA’s Breach Notification Rule Following A Breach

In light of the ongoing investigation of Change Healthcare’s ransomware attack that resulted in the improper disclosure of thousands of individuals’ PHI, now seems like a perfect time to discuss HIPAA’s requirements surrounding the notification process following a breach. Whether it’s a small breach where someone in your organization accidentally sent a patient’s contact information to the wrong individual, or a large breach where your system has been hacked and all your patient records have potentially been exposed, the Department of Health and Human Services lays out clear guidance for your next steps.

What is a breach?

Before diving into the required process following a breach, it may be helpful to discuss what is considered a breach in the first place.

Under the Breach Notification Rule, a breach has taken place when there is an unpermitted use or disclosure under the Privacy Rule that compromises the security or privacy of PHI. Whether or not a breach has occurred can be determined by a risk assessment that evaluates:

  • the nature and extent of PHI involved;
  • the unauthorized individual who used or gained access to the PHI;
  • whether an unauthorized individual actually acquired or viewed the PHI; and
  • the extent to which the covered entity or business associate reduced the PHI exposure risk.

Unless the covered entity can demonstrate that there is a low probability that the PHI has been compromised, any impermissible use or disclosure of PHI is presumed to have been a breach.

The rule does provide for three exceptions to this definition:

  • If an employee or authorized individual unintentionally, but in good faith and within their scope of authority, accesses or uses the PHI;
  • If the PHI is disclosed to an individual who is not authorized to access that particular individual’s PHI but is authorized to access PHI in general; or
  • If the covered entity has a good faith belief that the unauthorized person to whom the PHI was disclosed would have not been able to access or retain the information.

Notification Requirements

When a covered entity determines that a breach has occurred, the covered entity must provide notification to (1) the individual, (2) the Department of Health and Human Services, and (3) in some situations, the media.

Individual Notification

The individual must be notified without unreasonable delay but no later than 60 days following the discovery of the breach.

In the notification, the individual must be provided:

  • a brief description of the breach;
  • a description of the types of information that were involved in the breach;
  • the steps the individual should take to protect themselves from potential harm;
  • a description of what the covered entity is doing to investigate the breach; and
  • contact information for the covered entity.

This notification must be provided in the form of first-class mail but can be sent via email if the individual has agreed to receive such notices electronically. In the event that the covered entity is unable to contact 10 or more individuals affected by the breach, the covered entity must substitute the individual notice by either posting the notice on its website for a minimum of 90 days or by providing the notice in the media where the affected individuals likely reside. In these instances, the covered entity must include a toll-free phone number that remains active for at least 90 days where individuals can call to learn if their information was involved in the breach.

When a business associate is responsible for the breach, the covered entity remains the party responsible for providing notification to the individuals affected. In these situations, the business associate must notify the covered entity within 60 days.

Department of Health and Human Services Notification

The process for notifying the Secretary of the Department of Health and Human Services can be completed online on the HHS website (click here).

In breaches that affect 500 or more individuals, the Secretary must be notified without unreasonable delay but no later than 60 days following the discovery of the breach.

In breaches that affect less than 500 individuals, the notification requirement only needs to occur annually but no later than 60 days after the end of the calendar year in which the breach is discovered.

The Department of Health and Human Services maintains a list on its website of recent HIPAA breach cases under investigation (click here).

Media Notification

In situations where 500 individuals or more are affected by a breach, the covered entity must provide notice to the prominent media outlets covering the region where the affected individuals likely reside. This notice can be provided in the form of a press release, must include the same information as required for notifying the individuals, and must be provided without unreasonable delay but no later than 60 days following the discovery of the breach.


Navigating HIPAA compliance can be a confusing and burdensome task – we are here to help. If you’ve had a breach and are questioning what your next steps should be, or if you have a general question about how to better align your practice’s processes with HIPAA’s compliance requirements, please reach out at or (412) 594-5532.

Businesses Challenge FTC’s Ban on Non-Compete Agreements

As expected, businesses have sued the FTC challenging the recent final rule that ends non-compete agreements, as reported by the Wall Street Journal Wednesday morning (read WSJ article here). The U.S. Chamber of Commerce challenged the final rule in federal court in East Texas, which has been joined by other business groups. A lawsuit was also filed by a tax-services firm, Ryan LLC, in Dallas.

According to the suit filed by the U.S. Chamber of Congress, courts have long understood the value of non-compete agreements for businesses in protecting their trade secrets and confidential information. When non-compete agreements are too restrictive, state governments have limited them. According to the Chamber’s suit, Congress never authorized the FTC to step in for the states to regulate these restrictive covenants.

FTC Votes to Ban Non-Compete Agreements

In a Special Open Commission Meeting held this afternoon, the Federal Trade Commission voted to approve the final rule to ban non-compete agreements for for-profit businesses, the effective date of such ban being in 120-days.

Important items of note with the final rule:

  • This rule only applies to for-profit businesses, as is within the scope of the FTC’s jurisdiction.
  • The effective date for this new rule is in 120-days.
  • New noncompete agreements are banned for all workers as of the effective date.
  • Existing noncompete agreements may remain in effect for senior executives.
  • Existing noncompete agreements are unenforceable for all other workers after the effective date.
    • Recission by the employer is not required.
    • Employers must provide notice to their employees; the FTC provided model language.

The FTC acknowledged that much of the healthcare industry operates under a non-profit tax status, so this new rule would not apply to employees of those healthcare entities. The FTC staff encouraged Congress to review the impact that non-compete agreements have on healthcare professionals and to take similar action with non-compete agreements in the healthcare industry.

Numerous business groups have expressed opposition to the proposed ban leading up to today’s vote, citing that noncompete agreements allow businesses to protect confidential information as well as protect other business interests. The FTC stated that, although it considered these business justifications for non-compete agreements, the benefits from such claimed justifications do not justify the harm to workers created by non-compete agreements.

FTC To Rule on Banning Non-Compete Agreements

The Federal Trade Commission has announced that it will be holding a Special Open Commission Meeting on Tuesday, April 23, 2024, at 2pm EST regarding the rule to ban non-compete agreements (read the announcement here). The expectation for this meeting is that the FTC will disclose the proposed final rule followed by remarks by the FTC chair and will conclude with a Commission vote on the proposed final rule.

This Open Commission Meeting follows the proposed rule in January 2023 (available here) that proposed banning most employers from imposing non-compete agreements on their employees. This proposed rule was subject to a 90-day public comment period, during which the FTC received over 26,000 comments.

The Open Commission Meeting is open to the public and will be available via webcast here.

PA House Passes Physician Non-Compete Limitations

The Allegheny County Medical Society has reported that the Pennsylvania House of Representatives has passed a bill to bar non-compete agreements in healthcare employment.  Click here for a copy of the Press Release, and a copy of the legislation.  There are limitations:

  • The bill is effective immediately for new restrictive covenant only after current license renewal
  • It allows undefined liquidated damages
  • It provides exemption for counties with populations of less than 50,000

It now goes to the Pennsylvania Senate.