Third Circuit Rules on Manufacturer Restrictions on Contract Pharmacies

The first of three pending appeals on whether a pharmaceutical manufacturer can limit distribution of covered 340B drugs to contract pharmacies resulted in a clear victory for pharmaceutical manufacturers.  The Third Circuit resolved conflicting decisions among district courts within the Third Circuit by ruling that the 340B program did not require pharmaceutical manufacturers to distribute or deliver drugs purchased by 340B covered entities to all contract pharmacies that the entity had partnered with.  Sanofi-Aventis U.S., LLC v. HHS, Case No. 21-3167 (1/30/2023).  The court rejected the government’s contrary interpretation that would have required manufacturers to deliver drugs to any location designated by the covered entity. 

Both cases were filed by manufacturers after the government sent letters stating that manufacturers had violated the 340B program by restricting the delivery of drugs to a covered entity’s contract pharmacies. The manufacturers prevailed in AstraZeneca Pharms. LP v. Becerra, 2022 WL 484587 (D. Del. Feb. 16, 2022), and the government prevailed in Sanofi-Aventis U.S., LLC v. HHS, 570 F. Supp. 3d 129 (D.N.J. 2021).

The Third Circuit decision focused on the statutory language requiring that manufacturers “shall offer” drugs that are available to anyone at any price to “covered entities” for “purchase” at a discount. 42 U.S.C. §256b(a)(1). The court observed that “nowhere” did Section 340B mention contract pharmacies, and further, that neither the word “offer” nor the word “purchase” implied any specific requirement for delivery or distribution.  The court held that 340B “imposes a price term for drug sales to covered entities, leaving all other terms blank.” The court rejected the government’s interpretation that would have given covered entities discretion to fill in the blanks on delivery or distribution so long as they foot the bill. Said the court, “when Congress’s words run out, covered entities may not pick up the pen.”

Not All Statutory Interpretation Issues Were Resolved

The Third Circuit noted that its decision did not necessarily give manufacturers the right to impose any and all conditions on the use of contract pharmacies.  The court noted that it might come to a different result if a drug maker barred all use of contract pharmacies, where a covered entity that lacks an in-house pharmacy would have no way to dispense the drugs and so could not in practice “accept” them. But it refused to speculate on a situation that had not been presented. 

Pending Appeals Could Create Circuit Conflicts

Two other circuits are considering the same issue on appeal.  The government has appealed from a decision in the District of Columbia that two manufactures’ policies of restricting the use of contract pharmacies did not violate the 340B statute. Novartis Pharmaceuticals Corp. v. Espinosa, Nos. 21-cv-1479 (DLF), 21-cv-1686 (DLF) (D.D.C. Nov. 5, 2021) (appeal pending). 

 The Seventh Circuit also heard argument in October of 2022 in a manufacturer’s appeal from an Indiana decision that upheld the government’s interpretation, but no opinion has been issued. Eli Lilly and Company v. Becerra, Case No. 21-3128 (7th Cir.).

States Weigh In

States have also recently weighed in on the treatment and availability of 340B covered drugs dispensed by contract pharmacies. 

In December of 2022, a court upheld 38 Ark. Code Ann. § 23-92-604(c) from a challenge by the Pharmaceutical Manufacturers Association that the law was preempted by the Federal 340B statute.  Pharma v. McClain, Case No. 4:21-CV-864-BRW (E.D. Ark. 12/12/22).  The law prohibits pharmaceutical manufacturers from denying or prohibiting “340B drug pricing for an Arkansas-based community pharmacy that receives drugs purchased under a 340B drug pricing contract pharmacy arrangement with an entity authorized to participate in 340B drug pricing.”  The court held that the 340B program did not preclude states from protecting state interest related to the distribution of pharmaceuticals within the state.  The case is on appeal to the Eighth Circuit. 

Finally, in a policy that became effective on January 1, 2023, Pennsylvania issued guidance that appears to eliminate Medicaid reimbursement for 340B covered drugs dispensed by contract pharmacies. That guidance can be found here:  MAB2022122201.pdf (pa.gov).  The policy arises out of ongoing tension between the Medicaid rebate program and 340B discounted pricing, because a manufacturer is obligated to offer rebates or discounts under only one of these programs on drug purchases.  Failure of state Medicaid programs to earn rebates for drugs that are purchased under the 340B program but reimbursed under the Medicaid program has led to conflicts over, essentially, whether 340B covered entities or state Medicaid programs should receive the financial benefit of Federal drug discounting programs.  In addition, both states and manufacturers have alleged significant documentation errors by covered entities and their contract pharmacies in identifying 340B covered drugs that are dispensed to Medicaid beneficiaries, leading to protracted disputes and requests for recoupment by manufacturers.

Throughout the COVID-19 pandemic, the Centers for Medicare and Medicaid Services (CMS) issued a number of waivers and flexibilities to help healthcare providers manage the influx of patients during the Public Health Emergency (PHE). The implementation of the Acute Hospital Care at Home (AHCaH) individual waiver in 2020 allowed qualifying hospitals to provide hospital at home (H@H) programs. These programs provide similar services as those administered during inpatient visits, such as physician visits and monitoring, drug prescription, nursing services, diagnostics, etc. Since its employment, 144 systems including 260 hospitals across 37 states have utilized the AHCaH waiver, rapidly increasing the number of H@H programs in the United States. While the initiative was originally set to expire with the end of the PHE, the AHCaH waiver program was extended until December 31, 2024, with the passing of the Consolidated Appropriations Act, 2023 (CAA 2023). The extension of this program sends a strong message about the importance of permanently integrating home-based care delivery models into our healthcare system. Despite the lengthy extension, the nature of this waiver program remains temporary and the concerns about the expiration effects on relevant stakeholders continue to be pertinent.

Continue Reading Hospital at Home Programs Extended, But Final Push Is Needed

On December 29, President Joe Biden signed into law the Consolidated Appropriations Act, 2023 (P.L. 117-164) (the “Act”)—an approximately $1.7 trillion spending package, which consists of all 12 fiscal year (FY) 2023 appropriations bills and funds the federal government through September 30, 2023, provides additional assistance to Ukraine, and makes numerous health care policy changes.  

Continue Reading President Biden Signs End-of-Year Legislation Including Telehealth, Medicare & Medicaid, Mental Health, Pandemic Preparedness, and Other Health Care Provisions

On December 21, 2022, the Centers for Medicare & Medicaid Services (CMS) issued a proposed rule that would adopt standards under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for “health care attachments” transactions, which would: (1) support health care claims adjudication and prior authorization transactions; (2) adopt standards for electronic signatures to be used in conjunction with health care attachments transactions; and (3) adopt a modification to the standard for the referral certification and authorization transaction. This builds on the HIPAA Transactions Rule standards for financial and administrative transactions among health care providers and health plans and aligns with Department of Health and Human Services (HHS) interoperability regulations.  Comments on the proposed rule are due March 21, 2023.

Background and Context

To enable health information to be exchanged more efficiently and to achieve greater uniformity in the transmission of health information, the CMS proposed rule would implement requirements of the Administrative Simplification subtitle of HIPAA and the Affordable Care Act to adopt transaction standards for electronic health care attachments and electronic signatures, building on the HIPAA Transactions Rule adopted at 45 C.F.R. Part 162. There are already adopted transactions requirements for health care claims and referral and certification transactions; however, at this time, there are no adopted HIPAA standards, implementation guides, or operating rules for health care attachments or electronic signatures.  This proposed rule would establish electronic standards for ‘‘health care attachments’’ transactions, which would support health care claims and prior authorization transactions, and would establish a standard for electronic signatures to be used in conjunction with health care attachments transactions. This rule also proposes modifying the referral certification and authorization transaction standard to move to a new version of the current standard.

In making medical necessity determinations as part of coverage decisions, health plans often require additional information that cannot adequately be conveyed in the adopted prior authorization request or health care claims transaction. This proposed rule would support electronic transmissions of this type of information, with the goal of facilitating prior authorization decisions and claims processing, reduce burden on providers and plans, and result in more timely delivery of patient health care services.

In September 2005, CMS issued a proposed rule to adopt certain standards with respect to health care attachments. Rather than a standard with generalized applicability, CMS proposed to adopt health care claims attachment standards with respect to specific service areas that included ambulance services, clinical reports, emergency department, laboratory results, medications, and rehabilitation services. CMS did not finalize the rule due to comments received related to the standards’ lack of technical maturity and stakeholders’ lack of readiness to implement electronic capture of clinical data. Standards for electronic signatures were also proposed in an August 1998 proposed rule, but were not adopted because stakeholder feedback indicated that electronic signature technology was not yet mature. This proposed rule was issued before the Health Information Technology for Economic and Clinical Health (HITECH) Act incentives to adopt electronic health records, and therefore, before many health care providers had clinical data in electronic form.

Key Provisions

1. Adoption of Standards for Health Care Attachments Transactions

Scope of Health Care Transaction Standard

To define the scope of when the health care attachment standard would be used, CMS defines “attachment information” as documentation transmitted by a health care provider or requested by a health plan in order to make a decision about health care that is not included in either the claim or encounter information or the referral certification and authorization transaction. Use of the word ‘‘documentation’’ is intended to be broad to indicate the wide scope of information that may be included. 

The proposed rule defines a health care attachment transaction as the transmission of any of the following:

  • Attachment information from a health care provider to a health plan in support of a referral certification and authorization transaction;
  • Attachment information from a health care provider to a health plan in support of a health care claims or equivalent encounter transaction; or
  • A request from a health plan to a health care provider for attachment information.

CMS clarifies that it is not proposing to adopt attachments standards for all health care transaction business needs and believes covered entities should gain experience with a limited number of standard electronic attachment types so that technical and business issues can be identified to inform potential future rulemaking for other electronic attachments standards.

Code Set, Implementation Specifications, and Standards

CMS proposes new requirements for a code set to be used for health care attachments transactions in addition to Accredited Standards Committee X12 (X12) standards for requesting and transmitting attachment information and Health Level Seven (HL7) standards for clinical information content, which are outlined below.

Code Set (LOINC for HIPAA Attachments): Logical Observation Identifiers Names and Codes (LOINC) is the code system, terminology, and vocabulary for identifying individual clinical results and other clinical information. CMS proposes numerous implementation specifications containing specific instructions for how to utilize LOINC for HIPAA Attachments to identify the specific kind of information that a health plan electronically requests of a health care provider and a health care provider electronically transmits to a health plan; to specify certain optional modifier variables for attachment information (e.g., a time period for which the attachment information is requested); and for structured attachment information, to identify specific HL7 Implementation Guide: LOINC Document Ontology document templates. Where an implementation specification requires the use of LOINC, it instructs users to utilize the codes valid at the time a transaction is initiated.

Standards and Implementation Specifications: CMS proposes adopting the following three X12N Technical Report Type 3 (TR3) implementation specifications for requesting and transmitting attachment information, and three HL7 implementation guides for the clinical information embedded in those transactions. CMS explains that the proposed attachments standards would satisfy the requirements to adopt a standard to support health care claims and support prior authorization transactions.

CMS proposes adopting the following HL7 implementation guides and X12 standards for health care attachments transactions:

  • HL7 CDA R2 Attachment Implementation Guide: Exchange of C-CDA Based Documents, Release 1, March 2017
  • HL7 Implementation Guide for CDA Release 2: Consolidated CDA Templates for Clinical Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume 1 — Introductory Material, June 2019 with Errata
  • HL7 Implementation Guide for CDA Release 2: Consolidated CDA Templates for Clinical Notes (US Realm) Draft Standard for Trial Use Release 2.1, Volume 2 — Templates and Supporting Material, June 2019 with Errata
  • X12N 275 – Additional Information to Support a Health Care Claim or Encounter (006020X314): the standard a provider must use to electronically transmit attachment information to a health plan to support a health care claims or equivalent encounter information transaction
  • X12N 275 – Additional Information to Support a Health Care Services Review (006020X316): the standard a provider must use to electronically transmit attachment information to a health plan to support a prior authorization request
  • X12N 277 – Health Care Claim Request for Additional Information (006020X313): the standard a health plan must use to electronically request attachment information from a health care provider to support a health care claim

2. Adoption of Standards for Electronic Signatures

This rule proposes a standard for electronic signatures to be used in conjunction with health care attachments transactions. Section 1173(e)(1) of the Social Security Act requires the HHS Secretary, in coordination with the Secretary of Commerce, to adopt standards specifying procedures for the electronic transmission and authentication of signatures for HIPAA transactions. The August 1998 proposed rule, which was never finalized, did not propose a standard but rather enumerated the following three implementation features: user authentication, message integrity, and non-repudiation.  In the September 2005 proposed rule, CMS recognized that an electronic signature consensus standard still did not exist and sought industry input on how signatures should be handled when an attachment is requested and transmitted electronically.

Definition of Electronic Signature: CMS proposes defining the term “electronic signature” as an electronic sound, symbol, or process, attached to or logically associated with attachment information and executed by a person with the intent to sign the attachment information. CMS states that it intends to define the term as broadly as possible to ensure that it meets health care providers’ and health plans’ needs now and can also encompass future electronic signature technologies. CMS clarifies that the electronic signature standard would pertain only to electronic signatures for attachment information transmitted by a health care provider in an electronic health care attachments transaction.

Electronic Signature Standard: In this proposed rule, CMS has decided not to propose a standard for electronic signature or requirements on when to require electronic signature. Instead, it states that it defers to the industry to continue to establish those expectations and requests feedback from industry on these issues. While CMS is not proposing to specify when an electronic signature must be required, it is proposing that, where a health care provider uses an electronic signature in a health care attachments transaction, the signature must conform to the implementation specifications in the HL7 Implementation Guide for CDA Release 2: Digital Signatures and Delegation of Rights, Release 1 (hereafter Digital Signatures Guide). CMS states that the Digital Signatures Guide promotes the aforementioned three features by utilizing digital signature technology to implement identity management using digital certificates, encryption requirements to support message integrity, and multiple signed elements to support nonrepudiation.

3. Modification to Referral Certification and Authorization Transaction Standard

This proposed rule would modify previously adopted HIPAA standards for referral certification and authorization transactions. The referral certification and authorization transaction includes the following transmissions:

(a) A request from a health care provider to a health plan for the review of health care to obtain an authorization for the health care.

(b) A request from a health care provider to a health plan to obtain authorization for referring an individual to another health care provider.

(c) A response from a health plan to a health care provider to a request described in paragraph (a) or paragraph (b).

In this rule, CMS proposes adopting Version 6020 of the X12N 278 for referral certification and authorization transactions standard to replace Version 5010 of the X12N 278. CMS notes that Version 6020 of the X12N 278 provides significant technical improvements and structural changes over Version 5010, including better supporting referral certification and authorization transactions for dental services and revising and expanding the drug authorization segment.

We note that this modification follows a recently proposed rule in November 2022 that would modify the referral certification and authorization transaction standard.  Those proposed modifications addressed retail pharmacy drugs and dental, professional, and institutional request for review and response.  As previously discussed, this November proposed rule also adopts other standards, including the NCPDP Batch Standard Subrogation Implementation Guide Version 10 (to replace Version 3.0).

Compliance Dates

CMS proposes that the compliance date for adopting the new standards would be 24 months after the effective date of the final rule, which is 60 days after the final rule is published in the Federal Register, for all covered entities.

Takeaways

This proposed rule is part of a growing focus by HHS on interoperability, including electronic access to clinical data and rules on prior authorization. As we have previously discussed, CMS has recently proposed rules on interoperability and prior authorization, which are also open for comment. The Office of the National Coordinator for Health Information Technology (ONC) has also previously published a request for information, which covered standards for electronic prior authorization, among other things.  

We recommend assessing how your organization would be impacted by the proposed rule, if finalized, and consider commenting on the applicability and standards. For more information, or to better understand how this guidance impacts your organization, please contact the professionals listed below, or your regular Crowell & Moring contact.

On January 4, in its most recent effort to expand federal support for addressing health-related social needs (HRSNs), the Centers for Medicare & Medicaid Services (CMS) issued guidance to clarify an existing option for states to address HRSNs through the use of “in lieu of” services and settings policies in Medicaid managed care. This option is designed to help states offer alternative benefits that take aim at a range of unmet HRSNs, such as housing instability and food insecurity, and to help enrollees maintain their coverage and improve health outcomes. 

Background

“In lieu of” services can be used as immediate or longer-term substitutes for state-covered services or settings to offset potential future acute or institutional care and improve the quality and health outcomes for the enrollee. The recent guidance builds on the 2016 Medicaid and Children’s Health Insurance Program (CHIP) managed care final rule, which formally recognized states’ and managed care plans’ abilities to cover “in lieu of” services and significantly expanded its flexibility by permitting coverage of services in an institution for mental disease (IMD) with certain limitations. The final rule required that states’ “in lieu of” services must be medically appropriate and cost-effective, prevents managed care plans from requiring services for enrollees as a substitute for a state plan covered service or setting, and factors services’ utilization and actual costs into capitation rates.

States and CMS are using 1115 waiver authority to pursue “in lieu of” services and other HRSN-related services and supports. In recent months, CMS approved 1115 waivers in ArizonaArkansasMassachusetts, and Oregon that include “in lieu of” services proposals to address HRSNs. While several states currently use “in lieu of” services to cover mental health and substance use disorder treatment in IMD settings, CMS explains that additional guidance is necessary at this time for non-IMD and other types of services, including those to reduce the need for future costly state plan-covered services.

Guidance: CMS’ Six Principles on Appropriate and Efficient Use of “In Lieu Of” Services

In guidance addressed to state Medicaid directors, CMS clarifies its expectations for the use of “in lieu of” services and settings and provides a policy framework for states in order to qualify for a Section 1115 waiver. The guidance also establishes the following six principles to guide states in this area: (i) Medicaid program alignment, (ii) cost-effectiveness, (iii) medical appropriateness, (iv) enrollee rights and protections, (v) monitoring and oversight, and (vi) retrospective evaluation (when applicable).

CMS has developed these clarifying parameters to ensure adequate assessment of the alternative services and settings prior to use, ongoing monitoring for appropriate utilization and enrollee protections, and financial guardrails to ensure accountability and prevent inappropriate use of Medicaid resources. States must fulfill each of the below requirements to obtain CMS approval of states’ managed care plan contracts that include “in lieu of” services in accordance with 42 CFR § 438.3(a).

  1. “In lieu of” services must advance the objectives of the Medicaid program
  2. “In lieu of” services must be cost effective
  3. A brief description of each “in lieu of” services in the Medicaid managed care program, and whether the service was provided as a benefit during the base data period;
  4. The projected “in lieu of” services cost percentage, which is calculated by dividing the portion of the total capitation rates that would be attributable to a service, excluding short term stays in an IMD, for a specific managed care program by the projected total capitation payments for that program;
  5. A description of how the “in lieu of” services (both material and non-material impact) were taken into account in the development of the projected benefit costs, and if this approach was different than that for any of the other services in the categories of service; and
  6. An actuarial report that includes the final “in lieu of” services cost percentage, the actual plan costs for services for the specific managed care program, the portion of the total capitation payments that is attributable to services (excluding a short term stay in an IMD), and a summary of the actual managed care plan costs for delivering services based on claims and encounter data. The report should be submitted to CMS no later than 2 years after the completion of the contract year that includes services.
  7. “In lieu of” services must be medically appropriate
  8. The name and definition of each “in lieu of” services and the services or settings which they substitute, including the relevant coding;
  9. Clinically oriented definitions for the target population;
  10. A contractual requirement for the managed care plans to utilize a consistent process to ensure that a provider using professional judgement determines the medical appropriateness of the service for each enrollee; and
  11. If the projected cost percentage is higher than 1.5 percent, states must provide a description of the process to determine medical appropriateness.
  12. “In lieu of” services must be provided in a manner that preserves enrollee rights and protections
  13. “In lieu of” services must be subject to appropriate monitoring and oversight
  14. An actuarial report provided by the state’s actuary certifying the final “in lieu of” service cost percentage specific to each managed care program as outlined above;
  15. Written notification within 30 days of determining that an “in lieu of” service is no longer a medically appropriate or cost-effective substitute, or for any other areas of non-compliance;
  16. An attestation to audit encounter, grievances, appeals, and state fair hearing data to ensure accuracy, completeness, and timeliness, including data to stratify utilization by demographics when possible; and
  17. Documentation necessary for CMS to understand how the utilization, cost, and savings for an “in lieu of” service was considered in the development of actuarially sound capitation rates.
  18. “In lieu of” services must be subject to retrospective evaluation (when applicable)

CMS will require states with final “in lieu of” services cost percentages greater than 1.5 percent to submit a retrospective evaluation for each managed care program that includes “in lieu of” services. At a minimum, evaluations should include the following information:

  • The impact each service had on utilization of state plan-covered services or settings, including associated cost savings, trends in managed care plan and enrollee use of each service, and impact of each service on quality of care;
  • An assessment of whether encounter data supports the state’s determination that each service is a medically appropriate and cost-effective substitute;
  • The final “in lieu of” services cost percentage consistent with the actuarial report;
  • Appeals, grievances, and state fair hearings data separately for each service including volume, reason, resolution status, and trends; and
  • The impact each service had on health equity initiatives and efforts undertaken by the state to mitigate health disparities.

Evaluations must be submitted to CMS no later than 24 months after the completion of the first five contract years that include “in lieu of” services. If the retrospective evaluation identifies substantive issues, CMS may determine whether to permit the state to take corrective action to remedy the deficiency or terminate the service.

Next Steps

States that use “in lieu of” services for their Medicaid managed care contracting will have until the contract rating period beginning on or after January 1, 2024, to conform with this guidance for existing services. Effective January 4, 2023, any state managed care plan contract that includes new “in lieu of” services must conform to the guidance.

The guidance demonstrates the Administration’s interest and commitment to bolster federal support for reimbursement of “in lieu of” services to address HRSNs. States can leverage existing federal policy flexibilities to offer expanded benefits to Medicaid beneficiaries and improve population health. In addition, the guidance may offer opportunities for plans, providers, health technology companies, and others to improve access to health-related social care services for vulnerable populations.

For more information on how the guidance could impact your organization, please contact the professionals listed below, or your regular Crowell & Moring contact.

On December 6, 2022, the Centers for Medicare & Medicaid Services (CMS) issued a Proposed Rule that would (i) further enhance health data exchange by establishing data exchange standards for certain payers, (ii) improve patient and provider access to health information, and (iii) streamline processes related to prior authorization for medical items and services. The regulations impact CMS-regulated payers and provide incentives for providers and hospitals that participate in the Medicare Promoting Interoperability Program and the Merit-based Incentive Payment System (MIPS).

This Proposed Rule officially withdraws, replaces, and responds to the comments received from the December 2020 CMS Interoperability proposed rule, further builds on the May 2020 CMS Interoperability and Patient Access final rule, and diverges from the December 2020 CMS Interoperability proposed rule in a few key ways. Most of the Proposed Rule’s provisions will be effective on January 1, 2026. The deadline to submit comments is March 13, 2023. Our initial takeaways are summarized below.

The below summary does not focus on the Medicaid and Children’s Health Insurance Program (CHIP) Fee for Service (FFS) proposals. The Proposed Rule also notes that the Medicare FFS program is evaluating opportunities to improve automation of prior authorization processes, and, if the Proposed Rule is finalized, Medicare FFS would align its efforts for implementing its requirements as feasible.

1.  Proposed Rule withdraws, replaces, and responds to comments to the December 2020 CMS Interoperability proposed rule:

CMS reports that it received approximately 251 individual comments on the December 2020 CMS Interoperability proposed rule by the close of the comment period on January 4, 2021. The agency explains that the December 2020 CMS Interoperability proposed rule will not be finalized due to the concerns raised by the commenters—including concerns related to the short comment period for stakeholders to conduct a thorough analysis and provide feedback, as well as the short implementation timeframes. For these reasons, CMS withdrew the December 2020 CMS Interoperability proposed rule. The new Proposed Rule incorporates the feedback CMS had already received, proposes updates and provides additional time for public comment, until March 13, 2023.

2.  Proposed Rule builds on the May 2020 CMS Interoperability and Patient Access final rule:

This newly Proposed Rule builds on the May 2020 CMS Interoperability and Patient Access final rule by requiring impacted payers (newly included Medicare Advantage Organizations (MAO); state Medicaid and CHIP FFS programs; Medicaid managed care plans; CHIP managed care entities; and Qualified Health Plan (QHP) issuers on the Federally-facilitated Exchanges (FFE)) not only to establish standards-based Patient Access Application Programming Interface (API), but also to implement new Provider Access API, a standardized payer-to-payer data exchange API, and a Prior Authorization Requirements, Documentation and Decision (PARDD) API. To ensure providers utilize this technology, CMS also proposes to include the “electronic prior authorization” measure for the Merit-based Incentive Payment System (MIPS) Promoting Interoperability performance category for MIPS eligible providers and the Medicare Promoting Interoperability Program for eligible hospitals and critical access hospitals (CAHs).

a.  Patient Access API

(i) Security risk remains the only reason to deny an individual’s access request via Patient Access API.

CMS reiterates in the Proposed Rule that the only reason payers could deny API access to a health app that a patient wishes to use and access through the Patient Access API is potential security risk to the payer. CMS enumerates that these security risks include insufficient authentication or authorization controls, poor encryption, or reverse engineering. The payer must make that determination using objective, verifiable criteria that are applied fairly and consistently across all apps and developers through which patients seek to access their electronic health information.

(ii) Prior authorization information would be included via the Patient Access API.

CMS proposes to require impacted payers (now including  MAOs) to share certain prior authorization information through the Health Level 7® (HL7®) Fast Healthcare Interoperability Resources® (FHIR®) standard Patient Access API.

(iii) Payers would be required to report metrics about the use of Patient Access API.

Additionally, CMS proposes to require impacted payers to report metrics in the form of aggregated, de-identified data to CMS on an annual basis about how patients use the Patient Access API to assess whether CMS’s Patient Access API policies are successful. Specifically, CMS proposes that payers annually report:

  • The total number of unique patients whose data are transferred via the Patient Access API to a health app designated by the patient; and
  • The total number of unique patients whose data are transferred more than once via the Patient Access API to a health app designated by the patient.

(iv) Data provided via the Patient Access API would include all data classes and elements currently included in USCDI v.1.

Finally, CMS proposes a clarification that the data that impacted payers must make available are “all data classes and data elements included in a content standard at 45 C.F.R. 170.213,” instead of “clinical data, including laboratory results.” The current data standard at 45 C.F.R. 170.213 remains USCDI v. 1.   

b.  Provider Access API

In addition to the Patient Access API requirement, the Proposed Rule requires impacted payers to implement and maintain a FHIR API that makes patient information directly available to providers with whom payers have contractual relationships (i.e. in-network providers) and with whom patients have treatment relationships. The proposal includes a patient opt-out option (where the December 2020 CMS Interoperability proposed rule included an opt-in policy) by which patients could choose not to participate in the Provider Access API. Through this provision, CMS seeks to reduce the burden on patients and improve care by ensuring that providers can access comprehensive patient data. Importantly, both the proposed Patient and Provider Access APIs require that payers share prior authorization request and decision information for medical items and services (excluding drugs).

c.  Payer-to-Payer Data Exchange API

(i) Payers would be required to implement a FHIR API for payer-to-payer data exchange.

The Proposed Rule would rescind the payer-to-payer data exchange policy that did not impose a standard for the exchange, and proposes to require impacted payers to implement and maintain a payer-to-payer FHIR API to build a longitudinal patient record when the patient moves from one payer to another, or when the patient has concurrent coverage. CMS proposes an opt-out option for patients. While non-impacted payers may benefit from implementing the payer-to-payer API, they would not be under any obligation to do so. Therefore, the impacted payers in this Proposed Rule would only be responsible for their own side of the data sharing requests and responses.

(ii) Payers would have to exchange data with any concurrent payers that member reports within one week of the start of coverage.

The Proposed Rule requires impacted payers to collect information about any concurrent payer(s) from patients before the start of coverage with the impacted payer and, within one week of the start of a member’s coverage, to exchange data with any concurrent payers that the member reports. Such exchange would continue on at least a quarterly basis. The receiving impacted payer would have to respond with the appropriate data within one business day of receiving the request for a current patient’s data from a known concurrent payer for that patient. To the extent that an individual is enrolled with payers not subject to the Proposed Rule that refuse to exchange data with the impacted payer, the impacted payer would not be required to provide data to that concurrent payer and would not be required to continue to request data exchange quarterly. An impacted payer is required to respond to a non-impacted payer, however, if that non-impacted payer requests data exchange in accordance with the Proposed Rule.

d.  Prior Authorization Requirements, Documentation, and Decision (PARDD) API

(i) Payers would need to build a PARDD API to streamline authorization process.

CMS proposes requirements for an API to streamline the prior authorization processes, that is the process by which a provider must obtain approval from a payer before providing care in order to receive payment for delivering items or services.  Specifically, CMS proposes to require impacted payers to build and maintain a FHIR Prior Authorization Requirements, Documentation, and Decision (PARDD) API. The Proposed Rule would not apply to outpatient drugs, drugs that may be prescribed, those that may be administered by a physician, or that may be administered in a pharmacy, or hospital.

CMS acknowledges that its PARDD API proposal will result in changes to the impacted payers’ customer service operations and procedures, and encourages payers to evaluate the procedural and operational changes as part of their implementation strategy, and to make appropriate resources available when the API is launched.

Given the delayed implementation date of January 1, 2026 (for Medicaid managed care plans and CHIP managed care entities, by the rating period beginning on or after January 1, 2026, and for QHP issuers on the FFEs, for plan years beginning on or after January 1, 2026), CMS encourages those payers that currently maintain cumbersome prior authorization processes on their individual websites or through proprietary portals to develop short-term mechanisms to make prior authorization information more easily understandable and publicly available to providers and patients, if they elect to wait until 2026 to implement the PARDD API.

(ii) Payers must share certain information with patients and providers.

As noted in the Patient Access API description, there are a few key pieces of information which payers are responsible for sharing with patients and providers within clear timelines under the Proposed Rule. Specifically, payers must share lists of covered items and services (excluding drugs) which require prior authorization, share the corresponding documentation requirements, respond to prior authorization requests within specified timeframes, provide clear reasoning for request denials, and publicly report prior authorization metrics including approvals, denials, and appeals.

The PARDD API, however, also would allow providers to query the payer’s system to determine whether a prior authorization was required for certain items and services and to identify documentation requirements. Further, the PARDD API would automate the compilation of necessary data for populating the HIPAA-compliant prior authorization transaction (X12 278) and enable payers to provide the status of the prior authorization request, including whether the request has been approved (and for how long) or denied (with a specific reason), which would support current Federal and state notice requirements for certain impacted payers.

(iii) Impacted payers would be required to annually report on prior authorization metrics.

CMS stated it believes that transparency regarding prior authorization processes would be an important consideration for individuals to choose new plans. CMS proposes to require impacted payers to publicly report annually (by March of each year), on the payer’s website or via a publicly accessible hyperlink(s), on the following nine aggregated metrics about prior authorization:

  1. A list of all items and services that require prior authorization.
  2. The percentage of standard prior authorization requests that were approved, aggregated for all items and services.
  3. The percentage of standard prior authorization requests that were denied, aggregated for all items and services.
  4. The percentage of standard prior authorization requests that were approved after appeal, aggregated for all items and services.
  5. The percentage of prior authorization requests for which the timeframe for review was extended, and the request was approved, aggregated for all items and services.
  6. The percentage of expedited prior authorization requests that were approved, aggregated for all items and services.
  7. The percentage of expedited prior authorization requests that were denied, aggregated for all items and services.
  8. The average and median time that elapsed between the submission of a request and a determination by the payer, plan, or issuer, for standard prior authorizations, aggregated for all items and services.
  9. The average and median time that elapsed between the submission of a request and a decision by the payer, plan or issuer, for expedited prior authorizations, aggregated for all items and services.

This proposed reporting would be at the organizational level for MA, the state level for Medicaid and CHIP FFS, the plan level for Medicaid and CHIP managed care, and the issuer level for QHP issuers on the FFEs.

(iv) CMS encourages payers to adopt prior authorization gold-carding programs.

The Proposed Rule also encourages payers to adopt gold-carding programs, where payers relax prior authorization requirements for providers that have a demonstrated history of compliance with all payer documentation requirements to support the requests, appropriate utilization of items or services, or other evidence-driven criteria. To further encourage the adoption and establishment of gold-carding programs, CMS is considering including a gold-carding measure as a factor in the quality star ratings and seeks comment for potential future rulemaking on the incorporation of such a measure into star ratings for these organizations and on imposing gold-carding as a requirement in payer’s prior authorization policies.

e. Electronic Prior Authorization for the MIPS Promoting Interoperability Performance Category and the Medicare Promoting Interoperability Program.

CMS acknowledges that the anticipated benefits of the PARDD API are contingent on providers using health IT products that can interact with payers’ APIs.  Therefore, the Proposed Rule also creates a new “electronic prior authorization” measure for MIPS eligible clinicians under the Promoting Interoperability performance category of MIPS, as well as for eligible hospitals and critical access hospitals (CAHs) under the Medicare Promoting Interoperability Program. Under this proposal, MIPS eligible clinicians, eligible hospitals, and CAHs would be required to report the number of prior authorizations for medical items and services (excluding drugs) that are requested electronically using data from certified electronic health record technology (CEHRT) using a payer’s PARDD API. CMS determines a final score for each MIPS eligible clinician based on their performance in the MIPS performance categories and applies a payment adjustment (which can be positive, neutral, or negative) for the covered professional services they furnish based on their final score. Under the Medicare Promoting Interoperability Program, eligible hospitals and CAHs that do not successfully demonstrate meaningful use of CEHRT are subject to Medicare payment reductions. CMS requests comment on additional steps CMS could take to encourage providers and health IT developers to adopt the technology necessary to access payers’ PARDD APIs.

CMS also notes that on January 24, 2022, ONC published an RFI titled “Electronic Prior Authorization Standards, Implementation Specifications, and Certification Criteria” (87 FR 3475) requesting comment on how updates to the ONC Health IT Certification Program could support electronic prior authorization.

f.  Interoperability Standards for APIs

Finally, this Proposed Rule seeks to clarify the specific standards at 45 C.F.R. 170.215 that apply for each API discussed in the proposal. For example, CMS proposes to require impacted payers to implement an HL7 FHIR API that would work in combination with the adopted HIPAA transaction standard—ASC X12 Version 5010×217 278 (X12 278) for dental, professional, and institutional requests for review and response— and use certain HL7 FHIR Da Vinci Implementation Guidelines (IGs) developed specifically to support the functionality of the PARDD API to conduct the prior authorization process. Covered entities would continue to send and receive the HIPAA-compliant prior authorization transactions while using the FHIR PARDD API.

g.  Requests for Information (RFI)

There are also five RFIs in the Proposed Rule on the following topics:

  • Accelerating adoption of standards related to social risk data;
  • Electronic exchange of behavioral health data;
  • Electronic exchange for Medicare fee-for-service;
  • Incentives for exchange in accordance with the Trusted Exchange Framework and Common Agreement; and
  • Advancing interoperability and improving prior authorization for maternal health.

3.  Summary of the Proposed Rule’s major changes from the December 2020 Interoperability proposed rule:

In sum, the Proposed Rule features the following major changes from the December 2020 proposed rule:

  • Requiring impacted payers to use the health information technology standards at 45 C.F.R. 170.215 that are applicable to each corresponding set of API requirements, including the payer-to payer API;
  • Including MAOs as impacted payers;
  • Extending the implementation timeline for the policies within the newly proposed rule, with opportunities to seek extensions, exemptions, or exceptions for certain payers;
  • Clarifying existing Medicaid beneficiary notice and fair hearing regulations that apply to Medicaid prior authorization, and changing terminology related to Patient Access API; and
  • Including a new Electronic Prior Authorization measure for eligible hospitals and CAHs under the Medicare Promoting Interoperability Program and MIPS eligible clinicians under the Promoting Interoperability performance category of MIPS.

For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.

On November 9, the Department of Health and Human Services (HHS) issued a proposed rule to adopt updated versions of the retail pharmacy standards for electronic transactions adopted under the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and to broaden the applicability of the HIPAA subrogation transaction.

If the proposed rule is finalized, covered entities would have to comply within 24 months after the effective date of the final rule, and small health plans would have 36 months to comply. Comments must be submitted by January 9, 2023 (60 days after date of publication in the Federal Register).

Background

Under HIPAA, HHS is required to adopt standards for electronic health care administrative transactions conducted between health care providers, health plans, and health care clearinghouses. The National Committee on Vital and Health Statistics (NCVHS) serves as an advisory committee to the HHS Secretary and must recommend modification of HIPAA standards following review and approval of new or updated standards developed by Standards Development Organizations.

In 2009, HHS adopted the National Council for Prescription Drug Programs (NCPDP) Telecommunication Standard Implementation Guide, Version D, Release 0 (Version D.0) and equivalent NCPDP Batch Standard Implementation Guide, Version 1, Release 2 (Version 1.2) (collectively referred to as Version D.0) for retail pharmacy transactions. HHS also adopted the NCPDP Batch Standard Medicaid Subrogation Implementation Guide, Version 3, Release 0 (Version 3.0) for Medicaid pharmacy subrogation transactions, which Medicaid agencies use in transmitting claims to payers for the purpose of seeking reimbursement from the health plan responsible for a pharmacy claim the State has paid on behalf of a Medicaid recipient.

Since 2018, NCHVS has issued recommendations to adopt the following standards: NCPDP Telecommunications Standard Implementation Guide Version F6 (to replace Version D.0); NCPDP Batch Standard Implementation Guide Version 15 (to replace Version 1.2); and NCPDP Batch Standard Subrogation Implementation Guide Version 10 (to replace Version 3.0). These recommended standards were developed through consensus-based processes, which included the opportunity for public comment. NCVHS has recommended that HHS publish a proposed rule adopting more recent standards to address evolving industry changing business needs and sent letters in 2018 and 2020 that urge adoption of those standards.

Major Provisions of the Proposed Modifications to the National Council for Prescription Drug Programs Retail Pharmacy Standards and the Adoption of a New Pharmacy Subrogation Standard

Consistent with NCHVS recommendations, HHS proposes to adopt the following NCPDP standards:

  • The NCPDP Telecommunication Standard Implementation Guide, Version F6 and equivalent NCPDP Batch Standard Implementation Guide, Version 15:
    • HHS proposes adopting modifications to the current HIPAA retail pharmacy standards for the following transactions: health care claims or equivalent encounter information; eligibility for a health plan; referral certification and authorization; and coordination of benefits.
    • Version F6 would upgrade the currently adopted Version D.0, such as improvements to the information attached to controlled substance claims, including refinement to the quantity prescribed field. This change would enable refills to be distinguished from multiple dispensing events for a single fill, which would increase patient safety. Version F6 provides more specific fields to differentiate various types of fees, including taxes, regulatory fees, and medication administration fees. Version F6 also increases the dollar amount field length and would simplify coverage under prescription benefits of new innovative drug therapies priced at, or in excess of, $1 million.
  • The NCPDP Batch Standard Pharmacy Subrogation Implementation Guide, Version 10, for non-Medicaid health plans:
    • While HIPAA currently only requires Medicaid agencies to use the Batch Standard Medicaid Subrogation Implementation Guide, Version 3.0, Version 10 would require all health plans to use the Pharmacy Subrogation Implementation Guide, pursuant to industry feedback that subrogation is needed beyond Medicaid.
    • The current Medicaid Subrogation Implementation Guide Version 3.0 was adopted to support federal and state requirements for state Medicaid agencies to seek reimbursement from the correct responsible health plan. However, industry stakeholders reported that there is a need to expand the use of the subrogation transaction beyond Medicaid agencies. HHS notes that expansion of the standard would allow for better tracking for subrogation efforts and results across all health plans, and support cost containment efforts.

Takeaways

In the proposed rule, HHS states that the updated retail pharmacy standards are sufficiently mature for adoption and that covered entities are ready to implement them. HHS explains that adoption of the updated versions would provide improvements, including more robust data exchange, improved coordination of benefits, and expanded financial fields that would avoid the need to manually enter free text, split claims, or prepare and submit a paper Universal Claim Form.

The Centers for Medicare & Medicaid Services National Standards Group plans to hold a listening session on the proposed rule on Wednesday, November 30th from 2:00 to 3:30 PM EST to provide an overview of the proposed rule’s provisions and hear stakeholder feedback on the proposed rule. Additional information on the listening session is available here.

In late November, HHS proposed long-awaited changes to regulations at 42 C.F.R. Part 2 (“Part 2”) governing the confidentiality of substance use disorder (“SUD”) records as required under the Coronavirus Aid, Relief, and Economic Security (“CARES”) Act. Generally, HHS is attempting to align Part 2 requirements with the HIPAA (“Health Insurance Portability and Accountability Act”) Privacy Rule. The most significant changes are those to the rules governing consent for entities subject to Part 2’s restrictions to use, disclose, and redisclose Part 2 records with respect to treatment, payment, and health care operations (“TPO”) activities.

Continue Reading HHS Proposed Changes Would Align Part 2 Regulations on Substance Use Disorder Records with HIPAA

The results of the 2022 U.S. midterm elections—during which voters were focused on the economy, public safety, and health care and abortion issues—will have longstanding consequences for the development of health care policy over the next two years. With the U.S. House of Representatives and U.S. Senate controlled by different parties, it will be difficult for Congress to come to bipartisan agreement and pass significant health legislation during the 118th Congress. As a result, the Biden Administration will focus on implementing regulations for key legislative accomplishments and leveraging executive and regulatory authority to advance policy priorities, including implementing the Inflation Reduction Act, lowering health care and prescription drug costs for patients, and addressing health equity gaps across population groups. Considering the impact of the COVID-19 pandemic and expected unwinding of the public health emergency (PHE), concerns regarding health care financing and Medicare Trust Fund solvency, and the acceleration in the adoption of health information technology and digitization in recent years, implementation of these policy priorities will have a substantial impact on all stakeholders within health systems.

In 2023, we expect to see health care policy developments in the following key domains: reproductive rights and gender discrimination, health data privacy, telehealth, and price transparency.  

Reproductive Rights and Gender Discrimination 

Following the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, federal agencies have taken a number of actions to provide resources and guidance on health data privacy in accordance with President Joe Biden’s executive order to support access to reproductive health care. In July, the Department of Health and Human Services (HHS) issued guidance and sent a letter to health care providers reminding them of their responsibilities, irrespective of conflicting state laws or mandates, to provide stabilizing medical treatment to pregnant patients under the Emergency Medical Treatment and Active Labor Act (EMTALA). HHS also issued guidance reminding retail pharmacies of their nondiscrimination obligations under Section 1557 of the Affordable Care Act and directing pharmacies to not discriminate against customers on the basis of sex and disability (e.g., those seeking medication abortion). While the EMTALA guidance is currently being challenged in federal court, we expect the Administration to address additional issues related to reproductive health care services, including state policies affecting telehealth and travel restrictions for abortion. Without bipartisan agreement in the divided Congress, passage of wide-ranging abortion legislation is unlikely.  

Over the summer, the HHS Office of Civil Rights (OCR) issued a notice of proposed rulemaking implementing Section 1557 of the Affordable Care Act and establishing antidiscrimination requirements applicable to health care entities. The proposed rule restores and strengthens certain civil right protections under federally funded health programs and HHS programs which were limited following the previous versions of the rule, specifically regarding discrimination on the basis of sex, including sexual orientation and gender identity. Notably, the proposed rule also addresses the application of federal conscience and religious freedom laws and establishes a process to review whether an entity is entitled to an exemption or modification of the 1557 regulations based on such laws. Comments on the proposed rule closed in October, and we expect related developments on regulations addressing gender discrimination in federal health programs.  

Health Data Privacy 

As a result of the Dobbs decision, the Biden Administration also continues to issue regulations to protect patients’ health data privacy, including reproductive health information. In August, the Federal Trade Commission also issued a notice of proposed rulemaking on the prevalence of commercial surveillance and data security practices, including in the health care sector. Most recently, the OCR issued a bulletin to outline the obligations of Health Insurance Portability and Accountability Act of 1996 (HIPAA) on regulated entities when using online tracking technologies and notably includes several examples focused on protecting reproductive health information. Building on these actions, we expect federal agencies to issue additional guidance on the HIPAA privacy rule and protecting reproductive health care information.

In addition to changes in guidance to support reproductive health care services, HHS has also focused on improving access to health data, supporting care coordination, and improving interoperability by issuing a notice of proposed rulemaking that proposes to make sweeping changes to regulations at 42 C.F.R. part 2 (“Part 2”) governing the confidentiality of substance use disorder records. As we previously discussed, these modifications are intended to align Part 2’s currently stringent rules more closely with health information privacy rules promulgated under HIPAA and to improve the ability of entities subject to Part 2’s restrictions to use, disclose, and redisclose substance use disorder-related information. Regulatory action on health data privacy is being taken against the backdrop of stalled Congressional negotiations on the American Data Privacy and Protection Act (H.R.8152), which proposes to establish a national data security and digital privacy framework, as well as other data privacy bills. Bipartisan lawmakers agree that additional safeguards are needed to protect consumers’ online data, which indicates that we may see legislative action in the new Congress.  

Telehealth 

Depending on whether telehealth extensions are included in the fiscal year 2023 appropriations legislation, Congress may act to bolster federal support for telehealth and extend certain Medicare telehealth flexibilities beyond the COVID-19 PHE. HHS recently extended numerous telehealth flexibilities in the 2023 Medicare Physician Fee Schedule Final Rule for 151 days after the end of the COVID-19 PHE, in alignment with the Consolidated Appropriations Act, 2022. In July 2022, the House of Representatives passed, 416-12, the Advancing Telehealth Beyond COVID-19 Act of 2021 (H.R.4040), which modifies the extension of certain Medicare telehealth flexibilities (i.e., waiving originating site restrictions; allowing audio-only coverage; and expanding the list of telehealth practitioners) through December 2024. HHS will likely provide additional resources and guidance on telehealth, specifically regarding originating site and delivery modality flexibility. During the COVID-19 pandemic, members of Congress and the Biden Administration have acknowledged the importance of telehealth for providing continued access to care, especially for certain vulnerable populations, and have expressed interest in expanding federal support for telehealth. 

Price Transparency 

In 2023, Congress and the Administration will continue to advance price transparency efforts and urge hospitals to comply with the Hospital Price Transparency Final Rule, which required hospitals to disclose their standard charges and make prices publicly available for consumers. In September, the HHS Office of the Inspector General (OIG) announced that it would review the controls in place at the Centers for Medicare & Medicaid Services (CMS) and statistically sample hospitals to determine whether CMS’s controls are sufficient to ensure that hospital pricing information is readily available to patients as required by law. The findings of OIG’s review are expected to be released next year. On the Congressional side, bipartisan leaders of the House Energy and Commerce Committee continue to express concern about hospital noncompliance with the final rule. Committee leaders recently sent a letter to the Government Accountability Office requesting that it examine hospital compliance with the provisions of the Hospital Price Transparency Final Rule in addition to CMS’s efforts to monitor and enforce hospital compliance. 

In regard to the Administration’s price transparency efforts, we also expect to see rulemaking from HHS, along with three other federal agencies, on advanced explanation of benefits and good faith estimate (GFE) requirements of the No Surprises Act after they had issued a request for information in September. Most recently, HHS announced that it would extend beyond January 1, 2023 its enforcement discretion, pending future rulemaking, on the requirement that health care providers make available GFEs to uninsured and self-pay individuals when there are co-providers or co-facilities under the No Surprises Act.  

Next Steps 

In collaboration with Crowell & Moring Government Affairs Group and Crowell & Moring International, Crowell Health Solutions will examine the post-election landscape in health care policy on December 13 at 1:00 PM. We invite you to attend this webinar on what to expect in health care in 2023 in Washington DC, across the U.S., and abroad and how potential policy changes may impact your organization. Register for the webinar here.  

Crowell Health Solutions is a strategic consulting firm focused on helping clients to pursue and deliver innovative alternatives to the traditional approaches of providing and paying for health care, including through digital health, health equity, and value-based health care.     

The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) recently issued a bulletin to highlight the obligations of Health Insurance Portability and Accountability Act of 1996 (HIPAA) on regulated entities under the HIPAA Privacy, Security, and Breach Notification Rules when using online tracking technologies. The bulletin defines tracking technologies, provides examples of potential impermissible disclosures of electronic protected health information (ePHI) by HIPAA regulated entities to online technology tracking vendors, and outlines procedures regulated entities must take to protect ePHI when using tracking technologies in order to comply with HIPAA rules.

Regulated entities use tracking technologies on websites or mobile apps to collect and analyze information about how users are interacting with a regulated entity’s website or mobile application and may engage a technology vendor to perform analyses on user activity. The HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes protected health information (PHI). In the bulletin, OCR emphasizes that regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules. OCR notes that failure to comply with the HIPAA rules may result in a civil monetary penalty.

PHI and Tracking Technologies

OCR explains that when HIPAA regulated entities use tracking technologies on their websites or mobile apps that the data collected by tracking technologies is often PHI.  Specifically, information such as an individual’s medical record number, home or email address, or dates of appointments, as well as an individual’s IP address or geographic location, medical device IDs, or any unique identifying code may be PHI, even if the data does not include specific treatment or billing information like dates and types of health care services. OCR notes that where the information connects the individual to the regulated entity (i.e., it is indicative that the individual has received or will receive health care services or benefits from the covered entity), it will relate to the individual’s past, present, or future health or health care or payment for care even without specific health care or billing information.

Applicability for Various Tracking Technologies

OCR provides insight and examples of how the HIPAA rules would apply on regulated entities’ use of tracking technologies via user-authenticated webpages, unauthenticated webpages, and mobile apps.

  • Tracking on user-authenticated webpages:  OCR states that regulated entities must configure any user-authenticated webpages (i.e., sites that require a user to log in to access the webpage, such as a patient or health plan beneficiary portal or a telehealth platform) that include tracking technologies to allow such technologies to only use and disclose PHI in compliance with the HIPAA Privacy Rule and must ensure that the ePHI collected through its website is protected and secured in accordance with the HIPAA Security Rule. Furthermore, regulated entities that contract with tracking technology vendors to transmit PHI or provide certain services on behalf of a regulated entity must ensure that the disclosures made to such vendors are permitted by the Privacy Rule, including entering into a business associate agreement (BAA) with these tracking technology vendors to ensure that PHI is protected in accordance with the HIPAA Rules.
    • For example, if an individual makes an appointment through the website of a covered health clinic and that website uses third party tracking technologies, then the website might automatically transmit information regarding the appointment and the individual’s IP address to a tracking technology vendor. In this case, the tracking technology vendor is a business associate and a BAA is required.
  • Tracking on unauthenticated webpages: OCR states that since tracking technologies on regulated entities’ unauthenticated webpages, in general, do not have access to individuals’ PHI, the HIPAA rules would not apply to a regulated entity’s use of such tracking technologies. However, OCR provides examples of tracking technologies on unauthenticated webpages which may have access to PHI, in which case the HIPAA Rules apply to the regulated entities’ use of tracking technologies and disclosures to the tracking technology vendors. For example:
    • The HIPAA rules apply when tracking technologies on a regulated entity’s patient portal login page or registration page collect an individual’s login or registration information.
    • The HIPAA rules apply when tracking technologies collect an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointments with a health care provider. OCR notes that this may apply when the website addresses specific symptoms or health conditions, such as pregnancy or miscarriage.
  • Tracking on mobile apps: OCR states that regulated entities must comply with the HIPAA Rules for any PHI that individuals disclose on mobile apps, including any subsequent disclosures to the mobile app vendor, tracking technology vendor, or any other third party who receives such information. OCR notes that the HIPAA Rules do not protect the privacy and security of information that users voluntarily download or enter into mobile apps that are not developed or offered by or on behalf of regulated entities. In such instances, OCR states that other laws, including the Federal Trade Commission (FTC) Act and the FTC’s Health Breach Notification Rule (HBNR), may apply when a mobile health app impermissibly discloses a user’s health information.
    • For example, the HIPAA Rules apply to any PHI collected by a covered health clinic through the clinic’s mobile app used by patients to track health-related variables associated with pregnancy (e.g., menstrual cycle, body temperature, contraceptive prescription information).

Compliance Obligations for Regulated Entities

OCR outlines HIPAA Privacy, Security, and Breach Notification requirements that regulated entities must meet when using tracking technologies with access to PHI. OCR states that regulated entities should ensure that all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that only the minimum necessary PHI to achieve the intended purpose is disclosed. OCR also explicitly states that it is insufficient for a tracking technology vendor to agree to remove PHI from the information it receives or de-identify the PHI before the vendor saves the information and that any disclosure of PHI to the vendor can only be done with an individual’s authorization or where the vendor has a signed BAA in place and the disclosure is for a permissible purpose.

OCR notes that website or mobile app privacy policies, notices, or terms and conditions are not sufficient to meet HIPAA requirements.

Takeaways

Regulated entities should evaluate their relationships with tracking technology vendors to determine whether any data disclosed is PHI, determine whether such vendor meets the definition of a business associate, and ensure that the disclosures made to such vendor are permitted by the Privacy Rule.

OCR recommends that regulated entities address the use of tracking technologies in the regulated entity’s risk analysis and management processes and implement other safeguards in accordance with the Security Rule, including encrypting ePHI that is transmitted to the tracking technology vendor. OCR also recommends that regulated entities provide breach notification to affected individuals, HHS, and the media of an impermissible disclosure of PHI to a tracking technology vendor in situations where there is no Privacy Rule requirement or permission to disclose PHI and there is no BAA with the vendor. 

Notably, a number of the examples focus on reproductive health information. As we previously discussed, the Biden Administration and OCR have been taking action to ensure compliance with privacy protections for sensitive reproductive health information, including under HIPAA. We expect additional clarification from the Administration about protecting health information, particularly as it relates to reproductive health services, and will continue to follow these developments.

For more information, or to better understand how this guidance impacts your organization, please contact the professionals listed below, or your regular Crowell & Moring contact.