Earlier this week, the United States Department of Health and Human Services (“HHS”) released a Notice of Proposed Rulemaking (“NPRM”) that proposes to make sweeping changes to regulations at 42 C.F.R. part 2 (“Part 2”) governing the confidentiality of substance use disorder (“SUD”) records. These modifications, which implement provisions of section 3221 of the Coronavirus
The Russia-Ukraine conflict is increasing the risk of ransomware attacks and other cyber threats for U.S. companies, and those in the health care industry may be targeted. In a recent analyst note from the Department of Health & Human Services (“HHS”), HHS describes the cyber capabilities of Russia, one of the world’s major cyberpowers, and analyzes two malware variants most likely to impact the U.S. health care and public health sector. …
Continue Reading Increased Cyber Risk for Health Care Organizations Due to the Russia-Ukraine Conflict
On January 18, 2022, the U.S. Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) and the entity chosen as a contracting partner, The Sequoia Project, Inc., published the long-awaited Trusted Exchange Framework and Common Agreement (TEFCA) for health information exchange. In simple terms, TEFCA is a framework that health information networks (HINs) may enter into to share health data with other HINs, individuals, and entities. The stated goal of TEFCA is to develop uniform policies and technical requirements to scale health information exchange nationwide and ensure that HINs, health care providers, health plans, individuals, and other stakeholders can access real-time, interoperable health information.
Continue Reading ONC Releases a Framework for Nationwide Health Information Exchange
This article was originally published in Corporate Compliance Insights.
Both your company’s data supply chain and its physical version have fundamentally similar business risks. Given the consequences of unethical practices along both, enterprises can no longer ignore how data is sourced, how it is managed or where it is going.
While many organizations go to great lengths to monitor their physical supply chain, their data supply chain often gets short shrift. For any company interacting with large sets and various streams of information, this can represent a significant exposure to risk.
Since the first investigation under the U.S. FCPA concerning a third party acting on behalf of a U.S. company was initiated nearly 40 years ago, upholding integrity in global supply chains has garnered attention. Rightfully so, as compounding risks in physical production and movement of goods abound upstream (e.g., forced labor, conflict materials, environmental impact) and downstream (e.g., bribery, fraud, misuse).
Continue Reading Is Your Data Supply Chain Ethical? Don’t Restrict Due Diligence to Physical Operations.
On May 14, 2021, CMS published FAQs addressing questions that have been raised regarding the Interoperability and Patient Access final rule published May 2020. CMS is careful to note that the FAQs “do not have the force and effect of law and are not meant to bind the public in any way, unless specifically incorporated into a contract, as directed by a program.” CMS has provided links and other guidance, including regarding technical standards, best practices, and privacy and security resources, and has directly addressed questions raised by trade associations and others.
We summarize some of the key points addressed in the FAQs. We encourage you to review the full CMS response where questions arise in your implementation.
Continue Reading CMS Issues First FAQs on the CMS Interoperability and Patient Access Rule
Earlier this month, OIG issued a Special Fraud Alert on Speaker Programs warning drug and device companies and health care providers that it has significant concerns about payments for “speaker programs.” Based on recent investigations and enforcement activity, the OIG has found that a number of speaker programs sponsored by drug and device manufacturers violate the federal Anti-Kickback Statute (AKS). OIG is skeptical about the educational value of speaker programs provided under circumstances that are not conducive to learning and to audience members who have no legitimate reason to attend. Additionally, OIG questions the value of such events given that health care providers can access the same or similar information online, on the product’s package insert, third-party educational conferences, medical journals, and more. Because all of this material is already available, OIG warns “that at least one purpose of remuneration associated with speaker programs is often to induce or reward referrals” in violation of the federal Anti-Kickback Statute (AKS).
OIG defined speaker programs as drug or device “company-sponsored events at which a [outside] physician or other health care professional (collectively, “HCP”) makes a speech or presentation to other [outside] HCPs about a drug or device product or a disease state on behalf of the company” using a presentation developed and approved by the company. HCPs are paid an honorarium and attendees are paid generally through free meals and drinks, for example.
Based on its investigations to date, OIG provided an illustrative list of speaker program characteristics that result in higher level of scrutiny with respect to AKS violations:…
On October 29, 2020, the Departments of Health and Human Services, Labor, and the Treasury (“the Departments”) issued a final rule requiring private-sector health insurers and self-insured health plans to disclose treatment prices and cost-sharing information with consumers. The Transparency in Coverage rule comes in response to President Trump’s executive order aiming to increase transparency in the healthcare industry. It is slated to become effective on January 11, 2021.
The final rule contains three main parts: (1) requirements for plans and issuers to disclose estimated costs associated with covered items or services furnished by a particular provider; (2) requirements for plans and issuers to publicly disclose reimbursement rates; and (3) amendments to the medical loss ratio program rules to allow issuers to receive credit for enrollees’ savings. Each part is discussed below.
First, insurers and employer-sponsored health plans will be required to provide price estimates, including in-network and out-of-network negotiated rates, for health care items and services upon request. The regulation requires these estimates beginning in 2023 for the 500 most “shoppable” items and services on an internet-based self-service tool (and in paper form, if requested by the participant, beneficiary, or enrollee). Among the 500 “shoppable services” are mammograms, physician visits, colonoscopies, and various blood tests, biopsies, and X-rays, and the full list is specified in the regulations. Then, beginning in 2024, price estimates for all remaining items and services offered, including procedures, drugs, durable medical equipment, must be disclosed. The price transparency requirements include disclosure of the following:…
Last week, the Office of the National Coordinator for Health Information Technology (ONC) published an Interim Final Rule: Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency (Interim Final Rule) providing needed relief to entities working toward compliance. In the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule (ONC Rule), issued on May 1, 2020, ONC defines the entities that are subject to the rule’s provisions. ONC refers to these entities as Actors. Actors include health care providers, health IT developers of certified health IT, Health Information Exchanges (HIEs), and Health Information Networks (HINs). The Interim Final Rule provides these Actors with “additional flexibilities” to implement the provisions of the ONC Rule including updated compliance dates. ONC explained that the extension is due to the outbreak of COVID-19 public health emergency; however, this will also provide ONC with additional time to provide answers to the numerous questions that the agency has received as Actors work toward compliance. ONC is accepting comments on this rule, as is typical for an interim final rule. These comments must be submitted to regulations.gov by January 4, 2021.
The Interim Final Rule extends “the applicability date for the information blocking provisions and compliance dates and timeframes for certain Program requirements, including compliance dates for certain 2015 Edition health IT certification criteria and Conditions and Maintenance of Certification requirements.” See CMS and ONC Enforcement Deadlines Chart for more information about compliance dates for the ONC Rule.
On August 20, 2020 the Department of Health and Human Services (HHS) published a notice of proposed rulemaking (85 Fed. Reg. 51397) on good practices for the release and maintenance of agency guidance documents. Comments must be posted by 11:59 pm on September 16, 2020.
As instructed in the October 9, 2019 Executive Order 13891 (EO), titled ‘‘Promoting the Rule of Law Through Improved Agency Guidance Documents (84 FR 55235 (Oct. 15, 2019)), HHS proposes to issue regulations to ensure (i) there is proper notice of any new guidance, and (ii) that the guidance does not impose obligations on regulated parties that are not already reflected in duly enacted statutes or regulations.
This proposed rule appears to follow the Office of Management and Budget, “Final Bulletin for Agency Good Guidance Practices,” issued on January 25, 2007 (72 Fed. Reg. 3432) with respect to the significant guidance document that may, for example “adversely affect in a material way the economy, a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or State, local, or tribal governments or communities” or “materially alter the budgetary impact of entitlements, grants, user fees, or loan programs or the rights and obligations of recipients thereof” and generally requires a 30 day notice and comment period.
On April 30, 2020, the Centers for Medicare and Medicaid Services (CMS) announced a second round of regulatory waivers and rule changes in an interim final rule with comment (IFC) that added significant flexibilities for the coverage of telehealth services furnished by a broader set of eligible clinicians and in nontraditional health settings during the…