HHS’s Substance Abuse and Mental Health Services Administration (“SAMHSA”) proposed updated rules to clarify the scope of perceived barriers to sharing information regarding treatment for substance use disorders (SUDs) among providers, with research entities, and for law enforcement purposes. The proposed changes to the 42 C.F.R. Part 2 (“Part 2”) regulations appear in two Notices of Proposed Rulemaking (“NPRMs”), which are also summarized in a Fact Sheet. These proposals are part of HHS’s Regulatory Sprint to Coordinated Care, an agency-wide effort to remove regulatory obstacles to care coordination and information-sharing. HHS is anticipated to release proposed rules on HIPAA, the Physician Self-Referral Law and Anti-Kickback Statute by the end of 2019 as part of this effort as well.

The proposed Part 2 updates could have significant impacts on how health care providers, researchers, and health technology companies protect and share SUD information with each other, so interested parties should submit comments on the NPRMs before the deadlines, and prepare to submit comments in response to HHS’s other Regulatory Sprint to Coordinated Care efforts in the coming months.

Background


Continue Reading

Electronic health record (EHR) vendor Allscripts recently disclosed on an earnings call that it has reached a tentative agreement with the Department of Justice (DOJ) to pay $145 million to settle an investigation into the regulatory compliance of one of its recent acquisitions, Practice Fusion. This news, combined with DOJ’s other recent successful enforcement actions against EHR companies, represents a trend and should be a warning that compliance is a priority when it comes health IT. We anticipate that there will be more Anti-Kickback, HIPAA, and False Claims Act cases against similar health IT targets in the pipeline.

Allscripts acquired Practice Fusion, also an electronic health record company, in February 2018. According to the company’s public SEC filing from the first quarter of 2019, the investigation “relates to both the certification Practice Fusion obtained in connection with the U.S. Department of Health and Human Services’ Electronic Health Record Incentive Program and Practice Fusion’s compliance with the Anti-Kickback Statute and HIPAA.”


Continue Reading

A patient has an emergency and goes to a hospital she knows is in her plan’s network. She receives treatment. She leaves the hospital. Weeks later, she receives a medical bill for tens of thousands of dollars. Unbeknownst to her, some or all of her treating doctors were out-of-network.

This all-too-common story has contributed to a significant medical debt crisis in this country, and has captured the attention of policymakers on all sides of the political spectrum—leading to the rare circumstance of executive and legislative alignment and the potential for bipartisan legislative action.

Proponents of price transparency hope that it will improve competition and allow patients to better understand their financial responsibility ahead of receiving services. The idea is that disclosing prices to individuals will incentivize them to “shop around” for health care services, which may drive down costs. On the other hand, opponents of price transparency argue that releasing such information could compromise bargaining leverage between third party payers and providers, and have the effect of driving up prices since information exchanges in concentrated markets can lead to tacit coordination that’s difficult to detect and punish under the antitrust laws.


Continue Reading

The HHS Office of Civil Rights (“OCR”) closed out the month of April with some updates to HIPAA civil monetary penalty (“CMP”) limits and clarifications to OCR’s stance on the Privacy Rule’s application to transfers of electronic protected health information (“ePHI”) to third-party applications and application programming interfaces (“APIs”).

Differential CMP Caps Based on Enforcement Discretion

Under the current HIPAA Enforcement Rule, HHS employs a four-tier level of culpability scale in line with the HITECH Act. These four tiers correspond to appropriate CMPs ranges for violations by covered entities and business associates of the HIPAA Privacy and Security Rules. These penalty tiers are adjusted for inflation pursuant to the cost-of-living formula set forth in the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015.

For instance, if a person did not know and, by exercising reasonable diligence, would not have known that the person violated the applicable HIPAA provision, the CMP range the person could be levied was $100-$50,000 for each identical violation, up to a maximum of $1.5 million for all such violations annually (before adjusted for inflation). The $1.5 million annual cap on CMPs for HIPAA violations applied across all four tiers, even though the minimum penalties for each tier increased in amount.

Since HHS began using this four-tier structure, however, there has been debate about whether the HITECH Act mandates different annual CMP caps for each of the tiers. OCR’s April 30, 2019 Federal Register Notice changes HHS’s prior position on this, and now imposes the following annual caps on CMPs for HIPAA violations:.


Continue Reading

On March 27, 2019, the Centers for Medicare & Medicaid Services (CMS) announced a $1.65 million competition to accelerate development of AI solutions in health care. The Artificial Intelligence (AI) Health Outcomes challenge seeks innovative, AI-driven solutions that can predict unplanned hospital and skilled nursing facility (SNF) admissions and adverse events.

The challenge is a

In order to move health care organizations towards consistency in mitigating important cybersecurity threats to the health care sector, the Department of Health & Human Services (HHS) published multiple guidance documents on best practices for health care organizations to reduce cybersecurity risks (“HHS Cyber Guidance”). The HHS Cyber Guidance is the result of HHS’ public-private partnership with more than 150 cybersecurity and health care experts. While compliance is voluntary, this guidance serves as direction to health care entities on important practices that should be considered and implemented to reduce risk.

Why HHS has published this guidance


Continue Reading

  • More of our health information is becoming digital every day, as new technology companies enter the health care and wellness markets.
  • Many companies that hold a wealth of consumer health information are not covered by HIPAA.
  • Many consumers may not realize that their health information only is protected and they only have certain rights with respect to that information when it is held by certain entities, but not when it is held by others.
  • The private sector should work with regulators to develop a common sense, appropriate framework for use of health information by non-HIPAA covered entities.

As we await proposed HHS regulations on interoperability and patient access to data, and as more companies than ever before are collecting and using data to power advanced data analytics, artificial intelligence, and machine learning to improve health care quality and delivery, it is important to understand the scope and limitation of protections and the applicability of the HIPAA Privacy Rule.

Patients, providers and caregivers now have access to a wide array of devices and applications to manage and track patient health, improve treatment adherence, and better coordinate care. Large technology companies, athletic gear manufacturers, and others are entering a rapidly growing consumer health technology market. They are developing new technologies including tracking apps, wearables, and social networks that are increasingly integrated into patients’ daily lives. With an estimated 86.7 million U.S. consumers owning wearable devices by 2019, patients are generating billions of data points that provide insight into their health. Yet many of these companies are not subject to existing privacy protections under HIPAA, creating a significant gap in consumer protections.

At the same time, HHS is pushing for greater interoperability and patient access to data to address a challenge that remains widespread even after the investment of billions of federal dollars into the adoption of electronic health records. Agencies are encouraging and mandating easier availability of electronic health data, through current and anticipated CMS and ONC regulations and through a variety of government initiatives such as: 1) Blue Button and MyHealtheData; 2) incentivizing the adoption of open APIs; 3) developing new fee-for-service payment policies regarding remote monitoring and virtual care reimbursement; and 4) launching Sync for Science, a technical standard for facilitating patient-mediated data exchange for research. Consumers and companies alike seek guidance on the implications of collecting, storing, maintaining, and commercializing personal health data.
Continue Reading

The Centers for Medicare & Medicaid Services (CMS) recently proposed a rule to allow Medicare Advantage plans to expand telehealth benefit coverage. (See alert for more detail) This proposed rule implements the statutory provisions in section 50323 the Bipartisan Budget Act of 2018. What you might not know, however, is that the Bipartisan Budget Act of 2018 is only one of many legislative vehicles by which advocates for telehealth expansion have been able to move the needle definitively in their favor during this session of Congress.

Over the past two years, Congress has shown its support for the utilization of telehealth by introducing forty-one bills that, if passed, would require Medicare to reimburse providers for their use of telehealth to treat numerous health conditions such as stroke diagnosis, mental health, chronic care management and opioid addiction treatment. Of note, the Creating High-Quality Results and Outcomes Necessary to Improve Chronic (CHRONIC) Care Act of 2017 was the predecessor bill that passed out of the Senate in September of 2017 and became law on February 9, 2018 as a part of the Bipartisan Budget Act of 2018.
Continue Reading

This blog post has been prepared in collaboration with Nemours. Ms. Boyer is a Manager of Nemours Children’s HospitalMaya Upplauru is an associate in Crowell & Moring’s Health Care Group in Washington, D.C.

This Bulletin is brought to you by AHLA’s Children’s Health Affinity Group, which is part of the Academic Medical Centers and Teaching Hospitals and In-House Counsel Practice Groups.

One of the most fear-inducing experiences for new and first-time parents is the middle of the night illness of a young child. Many may head directly to the emergency department (ED) because they lack any means to communicate with their health care provider after-hours. Parents of children with chronic conditions or rare diseases are often forced to travel long distances to see specialists at regional centers of excellence and may struggle to check in or get questions answered once they are back at home. Teenagers managing chronic conditions may prematurely discontinue their treatment plan when they transition to college in a different state or when they enter the working world after college.
Continue Reading

CMS has finalized the adoption of multiple CPT codes in the CY 2019 PFS that create more opportunities for providers and digital health companies to collaborate on chronic care management business models in the fee-for-service market.

Virtual Check-Ins

CMS finalized the creation of a new code to reimburse providers for brief “check-in” services conducted using communications technology by creating HCPCS code G2012, defined as “[b]rief communication technology-based service, e.g. virtual check-in.”
Continue Reading