On June 27, 2023, the Department of Health and Human Services (“HHS”) Office of Inspector General (“OIG”) issued a final rule (“OIG Final Rule”) that implements statutory provisions for its enforcement of the information blocking penalties created by the 21stCentury Cures Act (“Cures Act”) and assessment of civil money penalties (“CMPs”) of up to $1 million per violation of information blocking for certain individuals or entities subject to the information blocking requirements.Continue Reading HHS-OIG Releases Final Rule Implementing Information Blocking Penalties

On May 17, 2023, the Federal Trade Commission (“FTC”) announced an enforcement action (“Enforcement Action”) against Illinois-based Easy Healthcare Corporation (“Easy Healthcare”), which operates the Premom application, for allegedly violating Section 5 of the FTC Act and the Health Breach Notification Rule (“HBNR”). Easy Healthcare has developed, advertised, and distributed a mobile application called the Premom Ovulation Tracker (“Premom”) that allows users to input and track various types of personal and health information. In the complaint (“Complaint”), the FTC alleges that Easy Healthcare deceived users by disclosing users’ sensitive health data with third parties and failed to notify consumers of these unauthorized disclosures in violation of the HBNR. The proposed order (“Proposed Order”), which was brought by the U.S. Department of Justice on behalf of the FTC, imposes a civil penalty of $100,000 and prohibits Easy Healthcare from sharing user personal health data with third parties for advertising, among other requirements. As part of a related action, Easy Healthcare has agreed to pay an additional $100,000 to Connecticut, the District of Columbia, and Oregon for violating their respective laws.Continue Reading FTC Announces Enforcement Action Against Ovulation Tracking App Premom

On January 18, 2022, the U.S. Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) and the entity chosen as a contracting partner, The Sequoia Project, Inc., published the long-awaited Trusted Exchange Framework and Common Agreement (TEFCA) for health information exchange. In simple terms, TEFCA is a framework that health information networks (HINs) may enter into to share health data with other HINs, individuals, and entities. The stated goal of TEFCA is to develop uniform policies and technical requirements to scale health information exchange nationwide and ensure that HINs, health care providers, health plans, individuals, and other stakeholders can access real-time, interoperable health information.
Continue Reading ONC Releases a Framework for Nationwide Health Information Exchange

Last week, the Office of the National Coordinator for Health Information Technology (ONC)  published an Interim Final Rule: Information Blocking and the ONC Health IT Certification Program: Extension of Compliance Dates and Timeframes in Response to the COVID-19 Public Health Emergency (Interim Final Rule) providing needed relief to entities working toward compliance.  In the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule (ONC Rule), issued on May 1, 2020, ONC defines the entities that are subject to the rule’s provisions. ONC refers to these entities as Actors. Actors include health care providers, health IT developers of certified health IT, Health Information Exchanges (HIEs), and Health Information Networks (HINs). The Interim Final Rule provides these Actors with “additional flexibilities” to implement the provisions of the ONC Rule including updated compliance dates.  ONC explained that the extension is due to the outbreak of COVID-19 public health emergency; however, this will also provide ONC with additional time to provide answers to the numerous questions that the agency has received as Actors work toward compliance. ONC is accepting comments on this rule, as is typical for an interim final rule. These comments must be submitted to regulations.gov by January 4, 2021.

The Interim Final Rule extends “the applicability date for the information blocking provisions and compliance dates and timeframes for certain Program requirements, including compliance dates for certain 2015 Edition health IT certification criteria and Conditions and Maintenance of Certification requirements.” See CMS and ONC Enforcement Deadlines Chart for more information about compliance dates for the ONC Rule.

Information BlockingContinue Reading ONC Issues Interim Final Rule Extending Compliance Dates for the Information Blocking and the ONC Health IT Certification Program

Last week, the Center for Medicare & Medicaid Services (CMS) finalized long-awaited regulations on Interoperability and Patient Access (the “CMS Rule”) to require Medicare Advantage plans, Medicaid and Children’s Health Insurance Program (CHIP) managed care plans, state agencies, and Qualified Health Plan (QHP) issuers on federally-facilitated exchanges (“CMS Payers”) to provide patients easy access to their claims and encounter information, as well as certain clinical information, through third-party applications of their choice. On the same day, the Office of the National Coordinator for Health Information Technology finalized its rules on Interoperability, Information Blocking, and the ONC Health IT Certification Program (the “ONC Rule”) related to the 21st Century Cures Act (Cures Act). The CMS Rule and ONC Rule have far-reaching impacts.

As individuals and organizations covered by the rules are considering how they may facilitate their access to health information to support patients, health care providers, and others, it is important to understand when provisions in the rules will be effective and timing and what acts may constitute violations of these rules.  To help clients get familiar with these deadlines, we are providing this summary chart of compliance requirements and applicable deadlines to help your organization prepare for upcoming enforcement of the ONC Rule and the CMS Rule.  For legal advice tailored to the specific needs of your organization, please reach out to Jodi Daniel, head of the firm’s Digital Health Practice at jdaniel@crowell.com.

As you read the chart, you should keep the following in mind:Continue Reading Compliance Reference Chart for ONC and CMS Interoperability Rules

In order to move health care organizations towards consistency in mitigating important cybersecurity threats to the health care sector, the Department of Health & Human Services (HHS) published multiple guidance documents on best practices for health care organizations to reduce cybersecurity risks (“HHS Cyber Guidance”). The HHS Cyber Guidance is the result of HHS’ public-private partnership with more than 150 cybersecurity and health care experts. While compliance is voluntary, this guidance serves as direction to health care entities on important practices that should be considered and implemented to reduce risk.

Why HHS has published this guidanceContinue Reading HHS Releases Voluntary Cybersecurity Practices Guidance

  • More of our health information is becoming digital every day, as new technology companies enter the health care and wellness markets.
  • Many companies that hold a wealth of consumer health information are not covered by HIPAA.
  • Many consumers may not realize that their health information only is protected and they only have certain rights with respect to that information when it is held by certain entities, but not when it is held by others.
  • The private sector should work with regulators to develop a common sense, appropriate framework for use of health information by non-HIPAA covered entities.

As we await proposed HHS regulations on interoperability and patient access to data, and as more companies than ever before are collecting and using data to power advanced data analytics, artificial intelligence, and machine learning to improve health care quality and delivery, it is important to understand the scope and limitation of protections and the applicability of the HIPAA Privacy Rule.

Patients, providers and caregivers now have access to a wide array of devices and applications to manage and track patient health, improve treatment adherence, and better coordinate care. Large technology companies, athletic gear manufacturers, and others are entering a rapidly growing consumer health technology market. They are developing new technologies including tracking apps, wearables, and social networks that are increasingly integrated into patients’ daily lives. With an estimated 86.7 million U.S. consumers owning wearable devices by 2019, patients are generating billions of data points that provide insight into their health. Yet many of these companies are not subject to existing privacy protections under HIPAA, creating a significant gap in consumer protections.

At the same time, HHS is pushing for greater interoperability and patient access to data to address a challenge that remains widespread even after the investment of billions of federal dollars into the adoption of electronic health records. Agencies are encouraging and mandating easier availability of electronic health data, through current and anticipated CMS and ONC regulations and through a variety of government initiatives such as: 1) Blue Button and MyHealtheData; 2) incentivizing the adoption of open APIs; 3) developing new fee-for-service payment policies regarding remote monitoring and virtual care reimbursement; and 4) launching Sync for Science, a technical standard for facilitating patient-mediated data exchange for research. Consumers and companies alike seek guidance on the implications of collecting, storing, maintaining, and commercializing personal health data.
Continue Reading Closing the Health Information Privacy Divide

The Centers for Medicare & Medicaid Services (CMS) recently proposed a rule to allow Medicare Advantage plans to expand telehealth benefit coverage. (See alert for more detail) This proposed rule implements the statutory provisions in section 50323 the Bipartisan Budget Act of 2018. What you might not know, however, is that the Bipartisan Budget Act of 2018 is only one of many legislative vehicles by which advocates for telehealth expansion have been able to move the needle definitively in their favor during this session of Congress.

Over the past two years, Congress has shown its support for the utilization of telehealth by introducing forty-one bills that, if passed, would require Medicare to reimburse providers for their use of telehealth to treat numerous health conditions such as stroke diagnosis, mental health, chronic care management and opioid addiction treatment. Of note, the Creating High-Quality Results and Outcomes Necessary to Improve Chronic (CHRONIC) Care Act of 2017 was the predecessor bill that passed out of the Senate in September of 2017 and became law on February 9, 2018 as a part of the Bipartisan Budget Act of 2018.
Continue Reading Government Affairs – The Progress of Telehealth Bills in Congress

CMS has finalized the adoption of multiple CPT codes in the CY 2019 PFS that create more opportunities for providers and digital health companies to collaborate on chronic care management business models in the fee-for-service market.

Virtual Check-Ins

CMS finalized the creation of a new code to reimburse providers for brief “check-in” services conducted using communications technology by creating HCPCS code G2012, defined as “[b]rief communication technology-based service, e.g. virtual check-in.”
Continue Reading Digital Health Updates in the 2019 Physician Fee Schedule (PFS) Rule

Yesterday, the FDA released draft guidance on the management of cybersecurity in medical devices submitted to the agency for premarket review. Noting that cybersecurity threats to the healthcare sector have increased in number and severity, the FDA offered new recommendations for device design, labeling, and documentation that medical device manufacturers will need to consider during premarket submission processes.

The guidance comes shortly after the FDA’s launch of its Medical Device Cybersecurity Playbook, which provides a framework for healthcare delivery organizations to use in preparing for and responding to cybersecurity threats against patient medical devices.

Given rapid changes in technology and increasing innovation in the digital health market, the guidance intends to decrease the risk of cyberattacks that could render medical devices inoperable and potentially harm patients. Comments on the draft guidance are due on March 18, 2019.
Continue Reading FDA Issues New Guidance for the Management of Cybersecurity in Medical Devices