Last week, the Center for Medicare & Medicaid Services (CMS) finalized long-awaited regulations on Interoperability and Patient Access (the “CMS Rule”) to require Medicare Advantage plans, Medicaid and Children’s Health Insurance Program (CHIP) managed care plans, state agencies, and Qualified Health Plan (QHP) issuers on federally-facilitated exchanges (“CMS Payers”) to provide patients easy access to their claims and encounter information, as well as certain clinical information, through third-party applications of their choice. On the same day, the Office of the National Coordinator for Health Information Technology finalized its rules on Interoperability, Information Blocking, and the ONC Health IT Certification Program (the “ONC Rule”) related to the 21st Century Cures Act (Cures Act). The CMS Rule and ONC Rule have far-reaching impacts.

As individuals and organizations covered by the rules are considering how they may facilitate their access to health information to support patients, health care providers, and others, it is important to understand when provisions in the rules will be effective and timing and what acts may constitute violations of these rules.  To help clients get familiar with these deadlines, we are providing this summary chart of compliance requirements and applicable deadlines to help your organization prepare for upcoming enforcement of the ONC Rule and the CMS Rule.  For legal advice tailored to the specific needs of your organization, please reach out to Jodi Daniel, head of the firm’s Digital Health Practice at jdaniel@crowell.com.

As you read the chart, you should keep the following in mind:


Continue Reading Compliance Reference Chart for ONC and CMS Interoperability Rules

Payers, Providers, and Patients – Oh My! Is Crowell & Moring’s health care podcast, discussing legal and regulatory issues that affect health care entities’ in-house counsel, executives, and investors. In this episode, hosts Payal Nanavati and Joe Records sit down with Jodi Daniel and Ambassador Robert Holleyman to discuss how regulators—across the U.S. and the

Payers, Providers, and Patients – Oh My! Is Crowell & Moring’s biweekly health care podcast, discussing legal and regulatory issues that affect health care entities’ in-house counsel, executives, and investors. In this episode, hosts Payal Nanavati and Joe Records discuss recent FDA guidance related to digital health with Jodi Daniel and Shaina Vinayek. For

In September 2019, the Food & Drug Administration (FDA) issued a new draft “Clinical Decision Support Software” guidance for public comments, which are due December 26, 2019. Concurrently, the agency published updates to four related guidance documents centered on regulation of digital health software products along with a consolidated summary titled “Changes to Existing Medical Software Policies Resulting from Section 3060 of the 21st Century Cures Act,[1] but is not soliciting comment on those. All of these guidance documents now account for the exclusion of certain software functions from the definition of “device” under the 21st Century Cures Act (Cures Act) amendments to the Food, Drug, and Cosmetic Act (FDCA) in 2016 and clarify FDA’s enforcement and monitoring positions vis-à-vis its legal authorities.

The rapid expansion of software and mobile medical applications in health care has made this guidance necessary in order to manage the FDA’s regulatory scope and provide clarity to medical device and health care companies seeking to use more software and mobile app solutions in their products and services. Digital health stakeholders, particularly medical device manufacturers, software developers, and mobile medical application developers should consider the effect of these guidance documents on their go-to-market strategies and submit comments regarding items from the FDA’s newest guidance documents that would create unnecessary burden or not address patient safety issues or other risks that FDA seeks to mitigate. We summarize the key points of each of the FDA’s guidance documents below.


Continue Reading FDA Seeks Comment on Clinical Decision Support Software Guidance and Issues Policy Updates on its Oversight Authority Regarding Medical Software and Apps

On October 3, President Trump signed an Executive Order on Protecting and Improving Medicare for Our Nation’s Seniors (EO), directing the Department of Health and Human Services (HHS) to develop various proposals to “protect and improve the Medicare” program as an alternative to the Medicare for All Act.

The EO aims to:

• Expand Medicare

HHS’s Substance Abuse and Mental Health Services Administration (“SAMHSA”) proposed updated rules to clarify the scope of perceived barriers to sharing information regarding treatment for substance use disorders (SUDs) among providers, with research entities, and for law enforcement purposes. The proposed changes to the 42 C.F.R. Part 2 (“Part 2”) regulations appear in two Notices of Proposed Rulemaking (“NPRMs”), which are also summarized in a Fact Sheet. These proposals are part of HHS’s Regulatory Sprint to Coordinated Care, an agency-wide effort to remove regulatory obstacles to care coordination and information-sharing. HHS is anticipated to release proposed rules on HIPAA, the Physician Self-Referral Law and Anti-Kickback Statute by the end of 2019 as part of this effort as well.

The proposed Part 2 updates could have significant impacts on how health care providers, researchers, and health technology companies protect and share SUD information with each other, so interested parties should submit comments on the NPRMs before the deadlines, and prepare to submit comments in response to HHS’s other Regulatory Sprint to Coordinated Care efforts in the coming months.

Background


Continue Reading New Proposed Rules on Confidentiality of Substance Use Disorder Data Would Address Care Coordination and Law Enforcement Challenges

Electronic health record (EHR) vendor Allscripts recently disclosed on an earnings call that it has reached a tentative agreement with the Department of Justice (DOJ) to pay $145 million to settle an investigation into the regulatory compliance of one of its recent acquisitions, Practice Fusion. This news, combined with DOJ’s other recent successful enforcement actions against EHR companies, represents a trend and should be a warning that compliance is a priority when it comes health IT. We anticipate that there will be more Anti-Kickback, HIPAA, and False Claims Act cases against similar health IT targets in the pipeline.

Allscripts acquired Practice Fusion, also an electronic health record company, in February 2018. According to the company’s public SEC filing from the first quarter of 2019, the investigation “relates to both the certification Practice Fusion obtained in connection with the U.S. Department of Health and Human Services’ Electronic Health Record Incentive Program and Practice Fusion’s compliance with the Anti-Kickback Statute and HIPAA.”


Continue Reading Allscripts Close to Reaching Deal with DOJ for Health IT Certification, Anti-Kickback Statute, and HIPAA Issues

A patient has an emergency and goes to a hospital she knows is in her plan’s network. She receives treatment. She leaves the hospital. Weeks later, she receives a medical bill for tens of thousands of dollars. Unbeknownst to her, some or all of her treating doctors were out-of-network.

This all-too-common story has contributed to a significant medical debt crisis in this country, and has captured the attention of policymakers on all sides of the political spectrum—leading to the rare circumstance of executive and legislative alignment and the potential for bipartisan legislative action.

Proponents of price transparency hope that it will improve competition and allow patients to better understand their financial responsibility ahead of receiving services. The idea is that disclosing prices to individuals will incentivize them to “shop around” for health care services, which may drive down costs. On the other hand, opponents of price transparency argue that releasing such information could compromise bargaining leverage between third party payers and providers, and have the effect of driving up prices since information exchanges in concentrated markets can lead to tacit coordination that’s difficult to detect and punish under the antitrust laws.


Continue Reading Trump Administration and Congress Are Moving Quickly on Health Care Price Transparency and Lowering Costs

The HHS Office of Civil Rights (“OCR”) closed out the month of April with some updates to HIPAA civil monetary penalty (“CMP”) limits and clarifications to OCR’s stance on the Privacy Rule’s application to transfers of electronic protected health information (“ePHI”) to third-party applications and application programming interfaces (“APIs”).

Differential CMP Caps Based on Enforcement Discretion

Under the current HIPAA Enforcement Rule, HHS employs a four-tier level of culpability scale in line with the HITECH Act. These four tiers correspond to appropriate CMPs ranges for violations by covered entities and business associates of the HIPAA Privacy and Security Rules. These penalty tiers are adjusted for inflation pursuant to the cost-of-living formula set forth in the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015.

For instance, if a person did not know and, by exercising reasonable diligence, would not have known that the person violated the applicable HIPAA provision, the CMP range the person could be levied was $100-$50,000 for each identical violation, up to a maximum of $1.5 million for all such violations annually (before adjusted for inflation). The $1.5 million annual cap on CMPs for HIPAA violations applied across all four tiers, even though the minimum penalties for each tier increased in amount.

Since HHS began using this four-tier structure, however, there has been debate about whether the HITECH Act mandates different annual CMP caps for each of the tiers. OCR’s April 30, 2019 Federal Register Notice changes HHS’s prior position on this, and now imposes the following annual caps on CMPs for HIPAA violations:.


Continue Reading HIPAA Spring Cleaning! Tidying Up Penalty Limits and FAQs on Patients’ Right of Access

On March 27, 2019, the Centers for Medicare & Medicaid Services (CMS) announced a $1.65 million competition to accelerate development of AI solutions in health care. The Artificial Intelligence (AI) Health Outcomes challenge seeks innovative, AI-driven solutions that can predict unplanned hospital and skilled nursing facility (SNF) admissions and adverse events.

The challenge is a