CMS health care staff vaccination rule enforceable as challenges continue

The CMS Omnibus COVID-19 Health Care Staff Vaccination Interim Final Rule survived its initial trip to the U.S. Supreme Court on January 13 with a per curiam decision that stayed injunctions placed on the rule by federal district courts in December.

The Supreme Court took the rare action of holding oral argument and then issuing a full opinion (with dissents) on the emergency stay application that had been brought by the Centers for Medicare & Medicaid Services, asking the Court to allow the agency to enforce the rule while challenges to its validity continue in the lower federal courts.

The Court was definitive that the rule as published falls within the authority of the Secretary of Health and Human Services to promulgate based on the statutory authority conferred by Congress through the Social Security Act (SSA). Specifically, the court found that the various statutory provisions within the SSA allow the Secretary to impose conditions of participation on the receipt of Medicare and Medicaid funds that are necessary in the interest of the health and safety of individuals who furnish services reimbursable under those programs and the federal program beneficiaries that they serve.

However, the Court’s opinion still leaves some questions unanswered about whether the rule will be enforceable in Texas and whether eventually some facilities may be exempted.

Continue Reading

HHS issues Guidance on permitted HIPAA disclosures to prevent gun violence

According to the Centers for Disease Control and Prevention, firearm injuries are a serious public health problem in the United States. To combat this problem, many states have passed extreme risk protection order (“ERPO”) laws, otherwise known as “red flag laws.”

ERPO laws allow various individuals, including family members, health care providers, and law enforcement officers, to petition for court orders to temporarily prevent people in crisis and who pose a danger to themselves or others from accessing firearms. ERPOs generally require affidavits from witnesses or the petitioner to support the application. In some instances, those affidavits could rely on protected health information (“PHI”) that is prohibited from unauthorized disclosure subject to the HIPAA Privacy Rule.

On December 20, 2021, the Department of Health and Human Services (“HHS”) issued non-binding guidance (“Guidance”) to clarify the extent to which the HIPAA Privacy Rule permits regulated entities to disclose PHI” to help prevent individuals in crisis from temporarily accessing firearms. The Guidance explains the three circumstances under which the Privacy Rule allows PHI to be disclosed by witnesses and petitioners in ERPO proceedings.

Those three circumstances are when the disclosure of PHI is:

  • Required by law (e.g., by state or federal statute or regulation, or by court order or subpoena) and complies with said law.
  • In response to a court or administrative tribunal order, subpoena, discovery request, or other lawful process in the course of a judicial or administrative proceeding. These disclosures can only be made within certain conditions as outlined in the Privacy Rule; for example:
    • Where a court order compels a provider to release an individual’s PHI to support an ERPO, the provider may only disclose the PHI that is authorized by the court order.
    • The Privacy Rule’s “minimum necessary” standard requires covered entities and business associates to make reasonable efforts to limit most uses, disclosures, and requests to the “minimum necessary” PHI to accomplish the intended purpose of the use, disclosure, or request.
  • Necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. As with responding to court/administrative orders, the health care provider must follow the “minimum necessary” standard.

In approving the guidance, HHS Secretary Xavier Becerra stated: “Too often, communities bear the weight of heartbreaking tragedies caused by the epidemic of gun violence in our country,” and that the guidance is an “important step . . . towards protecting communities from gun violence by allowing law enforcement, concerned family members, or others to prevent a person in crisis from accessing fire arms.”

Reed Smith will continue to track developments related to this guidance and other developments involving the HIPAA Privacy Rule. Please reach out to the health care attorneys at Reed Smith if you have any questions about this Guidance or any related inquiries.

Pending investigations/cases no longer prevent OIG advisory opinions

The Department of Health and Human Services’ Office of Inspector General (OIG) will be lifting its long-standing refusal to accept requests for advisory opinions if the request describes a course of action that is “the same or substantially the same” as a course of action that is either under investigation by OIG, or is the subject of a proceeding involving a governmental agency. As of February 10, 2022, a new final rule issued by the OIG will do away with that restriction and allow entities to request an advisory opinion, even if the requested course of action is the same or substantially the same as one under investigation or is the subject of a proceeding involving a governmental agency. Previously, the OIG’s policy deliberately left unsettled many fraud-and-abuse issues implicated by pending investigations or litigation.

As the final rule points out, however, seeking clarity during a pending investigation or litigation will carry risk: the mere fact that a course of action is the subject of a qui tam case or under investigation “will weigh against the issuance of a favorable advisory opinion because such circumstances generally indicate that the arrangement does not present a sufficiently low risk of fraud and abuse.”

This warning seems to assume that all investigations and litigation have equal merit, which is certainly not the case with matters initiated by self-appointed whistle-blowers under the False Claims Act, who often bring cases with very little merit. Nevertheless, the new rule provides flexibility, and provides opportunities for the OIG to provide guidance to health care companies seeking to develop business opportunities that, for example, a long-pending and/or declined qui tam case may have stymied.

Continue Reading

Future of discount safe harbor for prescription drugs remains uncertain

In November 2020, four months after the Trump Administration issued a series of Executive Orders reiterating its policy goals on reducing the costs to consumers for prescription drugs and directing the Department of Health and Human Services, Office of Inspector General (“HHS-OIG”) to implement those policy objectives, HHS-OIG issued a Final Rule to amend certain provisions in the safe harbor regulations under the Federal Anti-Kickback Statute (“AKS”). The Final Rule included three key provisions:

  1. Elimination of discount safe harbor protection for manufacturer rebates paid directly, or indirectly through a pharmacy benefit manager (“PBM”) to Medicare Part D or Medicare Advantage plans (the “Rebate Rule”);
  2. Creation of a new safe harbor to protect point-of-sale (“POS”) price reductions paid by manufacturers to Medicare Part D plans, Medicare Advantage plans, and Medicaid managed care organizations (“MCOs”); and
  3. Creation of a new safe harbor to protect fair-market-value (FMV) service fees paid to PBMs by manufacturers.

The Final Rule imposed a January 1, 2022, effective date for the Rebate Rule. However, in January 2021, two months after issuance of the Final Rule and in connection to a lawsuit brought by the Pharmaceutical Care Management Association challenging the Rebate Rule, the Biden Administration agreed to delay the Rebate Rule’s effective date to January 1, 2023, as reflected in an Order by the United States District Court for the District of Columbia.

In the intervening time though, Congress passed the Infrastructure Investment and Jobs Act (the “Infrastructure Act”). That law, signed by President Biden on November 15, 2021, further delayed implementation of the Rebate Rule to January 2026. Thus the rule, which many thought would be eliminated as part of paying for the cost of the infrastructure bill, was still alive, if only delayed until the middle of the next presidential term.

Continue Reading

New and improved proposed national coverage determination on screening for lung cancer with low dose CT

The Centers for Medicare and Medicaid Services (CMS) is proposing significant and important modifications to its National Coverage Determination (NCD): Screening for Lung Cancer with Low Dose Computed Tomography (LDCT). Medicare pays for lung cancer screening, counseling, and shared decision-making visits, and for an annual screening for lung cancer with low dose computed tomography as a preventive service benefit under the Medicare program. CMS issued its NCD in 2015 initiating this screening benefit, but stakeholders have observed that many of the features of the initial NCD served as a barrier to the effectiveness of this screening program. The proposed NCD makes numerous improvements to this program and eliminates many of the barriers to qualified patients’ ability to gain access to important LDCT lung cancer screenings.

Last year, a formal joint request to reconsider the NCD was submitted to CMS by the GO2 Foundation for Lung Cancer, The Society of Thoracic Surgeons, and American College of Radiology (ACR), and CMS received numerous comments from various stakeholders, including from the Association for Quality Imaging. This new proposed NCD is in response to that request and the comments from stakeholders.

Continue Reading

SCOTUS to examine “good faith” defense in criminal opioid prescription cases

On Nov. 5, 2021, the U.S. Supreme Court consolidated and granted certiorari to a pair of cases involving physicians who were criminally prosecuted for prescribing controlled substances (specifically, opioids) in violation of the Section 841(a)(1) of the Controlled Substances Act (“CSA”).  The consolidated cases—Ruan v. United States and Kahn v. United States—present questions regarding the requisite state of mind for a jury to convict a prescriber under the CSA and the availability and nature of a “good faith” defense to criminal liability under the statute.  By agreeing to hear these cases, the Court positions itself to resolve, or at minimum weigh in on, the current circuit splits regarding these issues.

Under the CSA, as interpreted by the Supreme Court in United States v. Moore, 423 U.S. 122 (1975), practitioners who are registered to legally prescribe controlled substances can nonetheless be found to have violated the CSA if they prescribe in a manner that “fall[s] outside the usual course of professional practice.”  However, petitioners argue that the state of mind necessary to convict varies by circuit.  Judicial willingness to issue a specific jury instruction on the availability of a “good faith” defense similarly varies.

Continue Reading

CMS issues interim final rule on SARS-CoV-2 vaccination for health care workers

The Centers for Medicare and Medicaid Services (CMS) has published an interim final rule that changed the conditions of participation in Medicare and Medicaid to require vaccination of certain healthcare workers. The rule, title “Omnibus COVID-19 Health Care Staff Vaccination Rule” was published in the Federal Register on November 5, 2021.

The rule requires all employees of certain health care entities that are regulated by CMS to obtain their first vaccination shot or apply for a religious or other health or disability related exemption by December 6, 2021. Additionally, the rule requires either completed vaccination series or approved exemption by January 4, 2022.

Covered Entities and Individuals

The rule is not a blanket vaccine mandate for all health care workers and Medicare sites of service as had been speculated in various media reports. Instead the rule is limited to only those entities who are surveyed by CMS and have Conditions of Participation, Conditions for Coverage, or Requirements for Participation in the Medicare and Medicaid programs.

Continue Reading

HHS-OIG approves uniform chiropractic discount program for federal beneficiaries

Andrew and Quynh are law clerks at the firm and their work is supervised by licensed attorneys. Their admission to – respectively – the Washington, D.C. and California bar is pending.

On October 4, 2021, the Department of Health and Human Services Office of Inspector General (OIG) issued a favorable advisory opinion on a proposal by a chiropractic clinic operator to extend an existing discount program to federal health plan beneficiaries.

The requesting clinics initially offered various discount programs to their privately insured or self-paid patients, but not to Federal health care program beneficiaries. Many healthcare providers are hesitant to give federal beneficiaries access to certain discount programs because of concern that doing so would run afoul Federal anti-kickback and beneficiary inducement statutes. Specifically, the concern is that if the beneficiaries receive discounts, clinics would provide patients with something of value—a discount on self-paid services—in exchange for the option to seek federally reimbursed services through a specific provider.

To address these concerns, the chiropractic clinic operator requested an advisory opinion from OIG on a new discount model that would extend discount programs to Federal health care program beneficiaries. While OIG found that the proposed discount program could result in prohibited compensation to patients, it also stated that it would not pursue an enforcement action based on the nature of the requesting clinics’ specific discount model.

Although only the requesting chiropractic clinic operator may rely on this opinion, OIG’s analysis implies that equalizing discount rates across federally reimbursable and non-reimbursable chiropractic services reduces legal risk under anti-kickback and beneficiary inducement statutes. Providers offering similar discount programs should take note to inform their compliance strategies. Continue Reading

FDA codifies requirements for the medical device De Novo classification process

On October 5, 2021, the U.S. Food and Drug Administration (“FDA”) published a final rule to establish requirements for the medical device De Novo classification process under the Federal Food, Drug, and Cosmetic Act.

The final rule, which takes effect January 3, 2022, comes nearly three years after the FDA first proposed it and, notably, sets forth the procedures and criteria for a manufacturer’s voluntary submission and withdrawal of a De Novo request.  Additionally, the rule clarifies how agency staff intends to accept and review the requests, as well as how FDA staff will determine whether to grant or decline the requests.  Finally, the rule also provides a way for combination products to use the De Novo pathway.

Useful for novel, low risk medical devices

The implementation of the De Novo classification process is especially significant for manufacturers of novel, low-risk medical devices.  Prior to the De Novo program, which was created in 1997, any device that lacked a predicate automatically became designated as a Class III device and, therefore, required premarket approval to legally reach the market.  Because this premarket pathway is designed to regulate the riskiest category of devices, manufacturers typically had to endure longer than anticipated wait times for approval of their low-risk devices.

Continue Reading

FTC warns non-HIPAA covered entities to comply with Health Breach Notification Rule

In an increasingly digital and interconnected world, the privacy and security of personal information is a significant concern. Applications and connected devices collect a bevy of personal information from consumers, including sensitive information about consumers’ health. Because of the sensitivity of health information, the United States has developed a variety of legal protections and enforcement mechanisms regarding the privacy and security of health information, including state and federal law, regulations, and federal agency guidance. At times, these legal protections and enforcement mechanisms intersect, bringing the enforcement powers of multiple federal regulations and agencies to bear to protect the privacy and security of consumers’ health information.

On September 15, 2021, the Federal Trade Commission (“FTC”) released a policy statement addressing the scope of the FTC’s Health Breach Notification Rule with respect to applications and connected devices that collect health information. At first glance, the FTC’s Health Breach Notification Rule and the privacy provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) and its implementing regulations appear to operate in similar spaces, both regulating access to health information. However, HIPAA and the FTC Rule apply to different entities. HIPAA applies to covered entities and their business associates (e.g. health care providers that submit claims electronically, health plans, and health care clearinghouses, and third parties that provide services for or on behalf these types of organizations that generally require access to protected health information) and the FTC Rule applies to businesses not regulated by HIPAA. Therefore, while the regulations operate in similar spaces, the scope of the regulations differs.

For further discussion on the FTC’s policy statement, the Health Breach Notification Rule, and its differentiation from HIPAA, please see our post on Reed Smith’s Technology Law Dispatch.

Biden administration looks to centralize pandemic response in preparedness plan

In a report released on September 2, 2021 the Biden administration announced its plan to help prepare the nation for future pandemic threats. In the report, named American Pandemic Preparedness: Transforming Our Capabilities, the administration described what it sees as the vital need to change the nation’s capabilities to better respond to any future pandemics or biological threats.

The report organizes the proposed actions under five pillars: (1) Transforming Medical Defenses, (2) Ensuring Situational Awareness, (3) Strengthening Public Health Systems, (4) Building Core Capabilities, and (5) Managing the Mission

The report calls for action to “not just refill our stockpiles, but also to transform our capabilities.” The report compares the proposed plan to the Apollo space program because of the importance that the administration is placing on the efforts as well as the proposed coordination among agencies and departments.

Ultimately, the administration is planning to create a centralized “mission control” that would work to coordinate resources and expertise from multiple agencies within the Department of Health and Human Services like the National Institutes of Health, Centers for Disease Control and Prevention, Biomedical Advanced Research and Development Authority (a component of the office of the Assistant Secretary for Preparedness and Response), Food and Drug Administration and the Centers for Medicare and Medicare Services, along with other cabinet-level departments such as the Department of Defense, Department of Energy, and the Veterans Administration.

Continue Reading

DOJ revises approach to publication and enforcement of guidance documents

On July 1, 2021, the Department of Justice (DOJ) released a memorandum signed by Attorney General Merrick Garland regarding the issuance and use of guidance documents. Addressed to the heads of all DOJ components, the memorandum rescinds two previous DOJ memoranda and outlines the principles governing the DOJ’s revised approach in evaluating guidance documents.

2017 Memorandum

On November 16, 2017, then Attorney General Jeff Sessions published a memorandum entitled “Prohibition on Improper Guidance Documents” (the “2017 Memorandum”). The 2017 Memorandum sought to address instances in which guidance documents published by the DOJ were being used to “effectively bind private parties without undergoing the [notice-and-comment] rulemaking process.” Under the 2017 Memorandum, Attorney General Sessions prohibited publication of guidance documents “that purport to create rights or obligations binding on persons or entities outside the Executive Branch (including state, local and tribal governments).”  The 2017 Memorandum directed the DOJ to also adhere to several principles in constructing and publishing guidance documents. These included avoiding the use of mandatory language, specifically noting that voluntary standard non-compliance would not result in enforcement action and including unambiguous statements that published guidance documents were not legally-binding final agency actions.

Brand Memo

Following the 2017 Memorandum, then Associate Attorney General Rachel Brand released a memorandum entitled “Limiting Use of Agency Guidance Documents In Affirmative Civil Enforcement Cases” (the “Brand Memo”). The Brand Memo built upon the publication principles outlined in the 2017 Memorandum and extended them to the DOJ’s legal actions, preventing DOJ lawyers from utilizing non-compliance with guidance documents as a basis for filing a civil lawsuit. While DOJ lawyers could still use guidance documents read by a party as evidence that such party had knowledge of a legal mandate, “that a party fails to comply with agency guidance [documents] expanding upon statutory or regulatory requirements does not mean that the party violated those underlying legal requirements.”

Continue Reading

Seventh Circuit adopts Safeco objective reasonableness standard in the context of false claims act cases

On August 12, 2021, the Seventh Circuit joined the Third, Eighth, Ninth, and D.C. Circuits in holding that the “objective reasonableness” standard for determinations of scienter, as set forth by the Supreme Court in Safeco Insurance Co. of America v. Burr, 551 U.S. 47, 70 (2007), applies in the context of False Claims Act (FCA) litigation.  In doing so, the Seventh Circuit observed that, under Safeco, a defendant cannot possess the requisite scienter under the FCA if: (1) it has an objectively reasonable reading of the statute or regulation; and (2) there was no authoritative guidance warning against its view.  This case has significant implications for defendants in FCA litigation by finding that an objectively reasonable interpretation of the law will defeat allegations of false claims.

Further, the decision is the latest victory in a spate of cases brought by the plaintiffs’ bar claiming that pharmacies are required to report special prices—such as membership club prices or matched competitor prices—as their usual and customary (U&C) prices. Virtually every pharmacy that has operated a membership club has faced scrutiny through actions under the FCA and consumer-class actions. The Seventh Circuit’s decision comes in the wake of the recent jury verdict in favor of CVS in the matter of Carl Washington (formerly known as Corcoran) et al. v. CVS Pharmacy, Inc., No. 15-cv-03504 (N.D. Ca. Jun. 24, 2021).   This victory will support pharmacies’ defenses in other similar litigation alleging the submission of false U&C prices, particularly when the alleged false conduct occurred before 2016, given that the Seventh Circuit found that reporting retail prices—as opposed to special prices such as price matches—was an objectively reasonable approach to U&C reporting.

The Lower Court’s Decision: Continue Reading

No Surprises Act: Time to revisit balance billing prohibitions in hospital-based physician professional services agreements with hospitals?

Effective January 1, 2022, common prohibitions against “balance billing” under hospital professional service contracts will likely become moot due to certain superseding federal prohibitions under the federal No Surprises Act enacted December 27, 2020.  As detailed below, certain hospital-based physicians, including radiologists, anesthesiologists, and pathologists, should keep these new federal billing prohibitions in mind when entering into new hospital professional services agreements (“PSAs”) and revisit their existing agreements to determine whether any changes are appropriate.

“No Surprises Act” Background.

The federal government’s growing focus on surprise medical bills reached a new high on July 1, 2021, when the Department of Health and Human Services (“HHS“), along with the Department of Labor and Department of the Treasury, released a consumer-focused interim final rule with comment period taking aim at surprise billing and excessive cost-sharing practices.  The rule, which also cites an ineffective “patchwork” of consumer protections under existing state laws, represents the first implementing regulation under the No Surprises Act.  Both the rule and the statute become effective on or after January 1, 2022.

Balance Billing Prohibition.

This article discusses two distinct but interwoven billing procedures that deserve clarification: “surprise billing” and “balance billing.”

Continue Reading

FDA clarifies evidence and knowledge requirements in intended use final rule

On August 2, 2021, the U.S. Food and Drug Administration (“FDA”)  published a final rule amending existing regulations (21 C.F.R. § 201.128 and 21 CFR § 801.4) that describe the types of evidence relevant to determine a drug or device’s intended use under the Food, Drug and Cosmetic Act (“FDCA”).  See 86 Fed. Reg. 41,384–85.

This final rule, which takes effect as of September 1, 2021, withdraws and replaces a final rule that FDA promulgated on January 9, 2017, but which never became effective due to an outcry concerning a problematic knowledge provision that was contrary to the statutory scheme of the FDCA and to physicians’ autonomy to use FDA-approved products in an off-label manner.

Prior to the 2021 final rule, FDA issued a proposed rule on September 23, 2020 that eliminated the 2017 rule’s knowledge provision and was much more aligned with FDCA intent and current FDA policy and practice.  FDA maintains, and we agree, that August 2021 final rule remains largely unchanged from the 2020 proposed language.

The following is a review of some important changes that FDA regulated entities should take note of as they develop and market FDA regulated products:

Continue Reading

HHS authorizes pharmacy technicians and interns to administer flu vaccines

The flurry of Covid-19 vaccine administration that marked the mid spring to early summer resulting in millions of doses administered daily has given way to a steady stream of approximately 700,000 doses of vaccine administered daily, according to some analysis of CDC data.

But now that August has arrived so has the need for regularly scheduled pediatric vaccines to be administered as schools open up again. Also, next month marks the beginning of flu season and its flood of vaccine requests. All of this demand for vaccine administration could threaten to overwhelm some of the pharmacies that have typically been a destination for quick and easy vaccine administration.

On August 4, the HHS officially amended the PREP Act declaration on medical countermeasures against Covid-19 in an effort to stave off any bottle-necking at pharmacies that administer flu vaccines. The declaration amendment, which took immediate effect and last until the end of the public health emergency officially included qualified pharmacy technicians and interns  as “qualified persons” permitted to administer seasonal influenza vaccines to adults age 19 and older. Additionally, the amendment officially identifies the same techs and interns as authorized to administer the Covid-19 vaccine as well as pediatric vaccines that are on the Advisory Committee on Immunization Practices (ACIP) schedule.

Continue Reading

Health Care Provisions in the Infrastructure Investment and Jobs Act

On August 1, 2021, the Senate released the legislative text of the bipartisan infrastructure bill, the “Infrastructure Investment and Jobs Act,” H.R. 3684.  The Senate is expected to vote this week, before a month-long recess beginning on August 9, 2021.  The 2,702 page legislation contains several relevant health care-related provisions, including a delay of the implementation of the rule eliminating the Anti-Kickback Statute (“AKS”) safe harbor protection for Medicare Part D rebates.

Rebate for Discarded Amounts of Medicare Part B Single-Dose Container or Single-Use Package Drugs

First, the legislation requires manufacturers of single-dose container or single-use package drugs payable under Medicare Part B to provide a rebate to the government for any discarded portion of that drug.  The rebates will be charged each quarter, beginning with the first quarter of 2023, and must be paid in regular intervals, as determined appropriate by the Secretary of the U.S. Department of Health and Human Services (“HHS”).  The legislation provides that, in order to enforce this provision, HHS will conduct periodic audits of both drug manufacturers and providers who submit claims.  For violations of this provision, HHS will impose Civil Monetary Penalties in amounts equal to the sum of the amount that the manufacturer would have paid and twenty-five percent of such amount.

Continue Reading

CMS Gives the IPO List the Godfather 3 Treatment

Just when the procedures thought they were out(patient), CMS pulls them back in(patient).

Last year, in the final CY 2021 Outpatient PPS rule, CMS announced its intention to eliminate the Inpatient Only (IPO) List by January 1, 2024. The IPO list featured more than 1,700 procedures that were surgically invasive or required more than 24 hours of post-operational recovery time. As a result, any procedure on the list would only be paid for by Medicare on an inpatient basis.

With the CY 2021 rule, those procedures would be released to outpatient providers in stages, allowing physicians to clinically determine whether inpatient admission was indicated for a particular procedure.

However, in the proposed CY 2022 Outpatient PPS rule, announced on July 19, 2021, CMS reversed that decision and announced that it will now keep the IPO List, reinstating the 298 procedures that were removed by the 2021 rule. CMS said it was responding to concerns from stakeholders about patient safety. In particular, CMS indicated that the 2021 rule removed the procedures on too steep of a timeline. The agency said it wanted to provide “greater consideration of the impact removing services from the list has on beneficiary safety and to allow providers impacted by the COVID-19 PHE additional time to prepare to furnish appropriate services safely and efficiently before continuing to remove large numbers of services from the list.”

Continue Reading

Expansive enforcement of HIPAA Right of Access continues

Starting in 2019, the Department of Health and Human Services Office for Civil Rights (“OCR”) has taken an increased interest in protecting patients’ right of access to protected health information (“PHI”) under the Health Insurance Portability and Accountability Act (“HIPAA”). Over the past twenty months, OCR has announced nineteen settlements under its Right of Access Initiative (“Initiative”), demonstrating OCR’s continued commitment to enforcing patients’ rights. Reed Smith has closely tracked this Initiative. Additional commentary on the Initiative and the associated settlements can be found here, and here.

Under HIPAA, “an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for: (i) psychotherapy notes; and (ii) information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.” Once a request for access has been made, the covered entity must act on the request “no later than 30 days after receipt of the request….” The Initiative focuses on enforcement of these duties under HIPAA and hold to account those who fail to comply.

The first settlement, which was announced on September 9, 2019, arose from a mother’s complaint alleging that Bayfront Health St. Petersburg (“Bayfront”) failed to provide timely access to her child’s prenatal medical records. Bayfront paid $85,000 to OCR and agreed to one year of monitoring to settle the potential violation of the right of access provision of HIPAA. At the time, then-OCR Director Roger Severino stated, “Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law. We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.” This statement and settlement demonstrates that OCR views the Initiative as central in furthering not only the agency’s directive in protecting patient’s rights, but also in making healthcare more affordable and keeping patients informed about their health.

The organizations that have be subject to OCR scrutiny under this initiative vary widely. Since the inception of the Initiative, OCR has taken action against a range of regulated entities, from private practitioners to one of the largest health care systems in the United States. The nineteen settlements targeted covered entities located across a dozen states, and involved varied medical specialties, including, but not limited to, mental health, plastic surgery, pain management, and endocrinology. The complainants that initiated these investigations also reflect the varied contexts in which requests for access are made, such as patients seeking their own PHI, parents requesting their child’s records, and a child asking for her father’s medical records. Although the settlements varied widely under the Initiative (ranging from $3,500 to $200,000), most settlements have been within a range of tens of thousands of dollars. Additionally, all of the nineteen settlements include corrective action plans, which mandate OCR monitoring for a period of one or two years.

In determining the payment of civil monetary penalties (in the event the regulated entity and OCR cannot not come to a settlement), OCR is directed to consider multiple factors including (i) the nature and extent of the HIPAA violation; (ii) the harm resulting from the violation; (iii) the regulated entity’s history with respect to compliance with the HIPAA rules; (iv) the financial condition of the regulated entity, including its size, and (v) recognized security practices.

Noticeably, in many of these cases, the payment of a settlement amount came after OCR provided technical assistance to the regulated entity regarding how to comply with HIPAA right of access requirements in response to a patient complaint. In these instances, the regulated entity’s continued failure to address the request for access resulted in a second complaint, an investigation by OCR, and, ultimately, a financial settlement and additional monitoring.

For example, in March 2021, OCR announced a settlement with The Arbour, Inc (“Arbour”), a Massachusetts-based covered entity provider of behavioral health services. After a patient filed an initial complaint alleging that Arbour failed to take timely action in response to a record request, OCR provided Arbour with technical assistance regarding its right of access duties under HIPAA. Following OCR’s provision of technical assistance, the patient filed a second complaint with OCR claiming that Arbour continued to fail to respond to the patient’s request. In the settlement, Arbour agreed to pay $65,000 and undertake a corrective action plan that included one year of monitoring. At the time the settlement was announced, Acting OCR Director Robinsue Frohboese said, “Health care providers have a duty to provide their patients with timely access to their own health records, and OCR will hold providers accountable to this obligation so that patients can exercise their rights and get needed health information to be active participants in their health care.” In nine of the nineteen settlements under the Initiative, OCR has reported providing technical assistance before enforcement action was taken in response to a second complaint.

An important lesson to the industry is that it is crucial that regulated entities promptly provide patients with requested PHI and respond to OCR if the agency reaches out to provide technical assistance.


Reed Smith will continue to track developments involving the Initiative. Should you have any questions related to this OCR Initiative please do not hesitate to reach out to the health care attorneys at Reed Smith.

Consensus among HHS agencies on addressing social determinants of health through better data capture, interoperability

Over the last decade, members of the medical and public health communities around the world have widely studied and acknowledged the impact of social determinants of health (SDOH)—the conditions in the environments where people live, learn, work, play, and age—on a wide range of health, functioning, and quality-of-life-risks and outcomes.[1]  In the past year or so, U.S. federal government policy has made a fundamental shift to align with this notion, focusing in part on better integration of health data and human services data to realize improved health outcomes that patients experience.

This policy shift is highlighted in the U.S. Department of Health & Human Services’ (HHS’) 2020-2025 Federal Health IT Strategic Plan, and is underscored in the Biden Administration’s American Rescue Plan and other policy recommendations that include ways to address SDOH, particularly in the wake of the COVID-19 pandemic. Through these policies and legislative initiatives, we have seen HHS agencies, such as the Office for Civil Rights (“OCR”), the agency that enforces HIPAA, the Office of the National Coordinator for Health Information Technology (“ONC”), the agency charged with coordination of nationwide efforts to implement and use the most advanced health information technology and the electronic exchange of health information, and others, signal that use and disclosure of patient information for certain treatment and health care operations activities, namely care coordination and management, to address SDOH is not only permissible but encouraged at both the individual-level and the population-level.

OCR’s Notice of Proposed Rulemaking (NPRM) published in January 2021, proposes pivotal changes to key standards, definitions, and patient rights under the HIPAA Privacy Rule, which are geared toward promoting care coordination and value-based care, and empowering patients with greater access to their health information.  More specifically, in addition to facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises and enhancing flexibilities for disclosures of protected health information (PHI) in emergency or threatening circumstances, such as the opioid and COVID-19 public health emergencies, OCR’s NPRM seeks to clarify the (already existing) scope of a HIPAA covered entity’s ability to disclose PHI to social service agencies, community-based organizations, home and community-based service providers, and other similar third parties providing health-related services in order to facilitate coordination of care and case management for permissible treatment and health care operations purposes under the law.  As proposed, the HIPAA Privacy Rule’s definition of “health care operations” would be amended to expressly permit disclosure of PHI for care coordination and case management activities, whether population-based or focused on particular individuals, and without a patient authorization.

If finalized, this clarification would give comfort to covered health care providers and health plans seeking to address SDOH among their patient and member populations that they may use and disclose PHI for these purposes without running afoul of HIPAA.  In effect, health care providers who believe that disclosures to certain social service entities are a necessary component of, or may help further, their patient’s health or mental health care may disclose the minimum necessary PHI to such entities without the individual’s authorization. For example, a provider may disclose PHI about a patient needing mental health care supportive housing to a local service agency that arranges such services for individuals, or disclose PHI to a senior center to help coordinate necessary health-related services for a patient such as arranging for a home aide to help the patient with their prescribed at-home prescription or post-discharge treatment protocol.  Likewise, a covered health plan may disclose PHI to facilitate care coordination and case management activities as part of the plan’s health care operations, including working closely with community-based organizations and/or multi-disciplinary teams to address SDOH and coordinate comprehensive wraparound services, such as clinical and behavioral health care, social services, and patient advocates to support certain populations, such as senior citizens or people experiencing food insecurity, homelessness, severe mental illness or substance abuse disorders.

Demonstrating consensus around the use of patient information in the clinical context to address SDOH, last week ONC released version 2 of the United States Core Data for Interoperability (“USCDI”), which now includes patient information related to SDOH, as well as sexual orientation and gender identity.  USCDI is a standardized set of health data classes and data elements for nationwide, interoperable health information exchange.  ONC requires compliance with the USCDI version 1 for health information technology (“IT”) certified to its Health IT Certification Program, 2015 Edition Cure Update in order to establish baseline standards for capturing health information in electronic health records and for exchanging that information with other systems.  USCDI version 1 is also incorporated into ONC’s Information Blocking Rule, which prohibits interference with access, exchange, and use of electronic health information by health care providers, health information exchanges and health information networks, and ONC-certified health IT developers.  For more information on the Information Blocking Rule, please refer to Reed Smith’s 2021 Health Care Outlook, Information Blocking Webinar Series, and recent Health Industry Washington Watch blog posts.

While compliance with USCDI version 2 is not mandated for ONC-certified health IT at this time or health care providers or systems from a documentation or data sharing perspective, it serves as additional evidence that the activities a HIPAA covered health care provider or health plan undertake to address SDOH can fall within the scope of treatment and health care operations activities consistent with OCR’s proposed clarifications and modifications to the HIPAA Privacy Rule.


Reed Smith is closely tracking the further integration of SDOH data across the health care industry, including with respect to the release of OCR’s final rule.  Should you have any questions regarding the impact of these developments on your organization, please contact Nancy B. Halstead, Vicki Tankle, or a member of your Reed Smith health care team.


[1] See Office of Disease Prevention and Health Promotion, Social Determinants of Health (2020), available at; U.S. Centers for Disease Control and Prevention, Social Determinants of Health: Know What Affects Health, available at