New and improved proposed national coverage determination on screening for lung cancer with low dose CT

By Thomas W. Greeson on 22 November 2021 Posted in Other CMS Developments

The Centers for Medicare and Medicaid Services (CMS) is proposing significant and important modifications to its National Coverage Determination (NCD): Screening for Lung Cancer with Low Dose Computed Tomography (LDCT). Medicare pays for lung cancer screening, counseling, and shared decision-making visits, and for an annual screening for lung cancer with low dose computed tomography as a preventive service benefit under the Medicare program. CMS issued its NCD in 2015 initiating this screening benefit, but stakeholders have observed that many of the features of the initial NCD served as a barrier to the effectiveness of this screening program. The proposed NCD makes numerous improvements to this program and eliminates many of the barriers to qualified patients’ ability to gain access to important LDCT lung cancer screenings.

Last year, a formal joint request to reconsider the NCD was submitted to CMS by the GO2 Foundation for Lung Cancer, The Society of Thoracic Surgeons, and American College of Radiology (ACR), and CMS received numerous comments from various stakeholders, including from the Association for Quality Imaging. This new proposed NCD is in response to that request and the comments from stakeholders.

SCOTUS to examine “good faith” defense in criminal opioid prescription cases

By Alexandra Hussey on 10 November 2021 Posted in Odds & Ends

On Nov. 5, 2021, the U.S. Supreme Court consolidated and granted certiorari to a pair of cases involving physicians who were criminally prosecuted for prescribing controlled substances (specifically, opioids) in violation of the Section 841(a)(1) of the Controlled Substances Act (“CSA”). The consolidated cases—Ruan v. United States and Kahn v. United States—present questions regarding the requisite state of mind for a jury to convict a prescriber under the CSA and the availability and nature of a “good faith” defense to criminal liability under the statute. By agreeing to hear these cases, the Court positions itself to resolve, or at minimum weigh in on, the current circuit splits regarding these issues.

Under the CSA, as interpreted by the Supreme Court in United States v. Moore, 423 U.S. 122 (1975), practitioners who are registered to legally prescribe controlled substances can nonetheless be found to have violated the CSA if they prescribe in a manner that “fall[s] outside the usual course of professional practice.” However, petitioners argue that the state of mind necessary to convict varies by circuit. Judicial willingness to issue a specific jury instruction on the availability of a “good faith” defense similarly varies.

CMS issues interim final rule on SARS-CoV-2 vaccination for health care workers

By Matthew Loughran on 5 November 2021 Posted in COVID-19

The Centers for Medicare and Medicaid Services (CMS) has published an interim final rule that changed the conditions of participation in Medicare and Medicaid to require vaccination of certain healthcare workers. The rule, title “Omnibus COVID-19 Health Care Staff Vaccination Rule” was published in the Federal Register on November 5, 2021.

The rule requires all employees of certain health care entities that are regulated by CMS to obtain their first vaccination shot or apply for a religious or other health or disability related exemption by December 6, 2021. Additionally, the rule requires either completed vaccination series or approved exemption by January 4, 2022.

Covered Entities and Individuals

The rule is not a blanket vaccine mandate for all health care workers and Medicare sites of service as had been speculated in various media reports. Instead the rule is limited to only those entities who are surveyed by CMS and have Conditions of Participation, Conditions for Coverage, or Requirements for Participation in the Medicare and Medicaid programs.

HHS-OIG approves uniform chiropractic discount program for federal beneficiaries

By Andrew Hayes and Quynh La on 27 October 2021 Posted in Fraud and Abuse Developments

Andrew and Quynh are law clerks at the firm and their work is supervised by licensed attorneys. Their admission to – respectively – the Washington, D.C. and California bar is pending.

On October 4, 2021, the Department of Health and Human Services Office of Inspector General (OIG) issued a favorable advisory opinion on a proposal by a chiropractic clinic operator to extend an existing discount program to federal health plan beneficiaries.

The requesting clinics initially offered various discount programs to their privately insured or self-paid patients, but not to Federal health care program beneficiaries. Many healthcare providers are hesitant to give federal beneficiaries access to certain discount programs because of concern that doing so would run afoul Federal anti-kickback and beneficiary inducement statutes. Specifically, the concern is that if the beneficiaries receive discounts, clinics would provide patients with something of value—a discount on self-paid services—in exchange for the option to seek federally reimbursed services through a specific provider.

To address these concerns, the chiropractic clinic operator requested an advisory opinion from OIG on a new discount model that would extend discount programs to Federal health care program beneficiaries. While OIG found that the proposed discount program could result in prohibited compensation to patients, it also stated that it would not pursue an enforcement action based on the nature of the requesting clinics’ specific discount model.

Although only the requesting chiropractic clinic operator may rely on this opinion, OIG’s analysis implies that equalizing discount rates across federally reimbursable and non-reimbursable chiropractic services reduces legal risk under anti-kickback and beneficiary inducement statutes. Providers offering similar discount programs should take note to inform their compliance strategies. Continue Reading

FDA codifies requirements for the medical device De Novo classification process

By Andrew Lu on 14 October 2021 Posted in Food & Drug Administration Regulations

On October 5, 2021, the U.S. Food and Drug Administration (“FDA”) published a final rule to establish requirements for the medical device De Novo classification process under the Federal Food, Drug, and Cosmetic Act.

The final rule, which takes effect January 3, 2022, comes nearly three years after the FDA first proposed it and, notably, sets forth the procedures and criteria for a manufacturer’s voluntary submission and withdrawal of a De Novo request. Additionally, the rule clarifies how agency staff intends to accept and review the requests, as well as how FDA staff will determine whether to grant or decline the requests. Finally, the rule also provides a way for combination products to use the De Novo pathway.

Useful for novel, low risk medical devices

The implementation of the De Novo classification process is especially significant for manufacturers of novel, low-risk medical devices. Prior to the De Novo program, which was created in 1997, any device that lacked a predicate automatically became designated as a Class III device and, therefore, required premarket approval to legally reach the market. Because this premarket pathway is designed to regulate the riskiest category of devices, manufacturers typically had to endure longer than anticipated wait times for approval of their low-risk devices.

FTC warns non-HIPAA covered entities to comply with Health Breach Notification Rule

By Ellen Pighini and Catherine David on 28 September 2021 Posted in Department of Health and Human Services

In an increasingly digital and interconnected world, the privacy and security of personal information is a significant concern. Applications and connected devices collect a bevy of personal information from consumers, including sensitive information about consumers’ health. Because of the sensitivity of health information, the United States has developed a variety of legal protections and enforcement mechanisms regarding the privacy and security of health information, including state and federal law, regulations, and federal agency guidance. At times, these legal protections and enforcement mechanisms intersect, bringing the enforcement powers of multiple federal regulations and agencies to bear to protect the privacy and security of consumers’ health information.

On September 15, 2021, the Federal Trade Commission (“FTC”) released a policy statement addressing the scope of the FTC’s Health Breach Notification Rule with respect to applications and connected devices that collect health information. At first glance, the FTC’s Health Breach Notification Rule and the privacy provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) and its implementing regulations appear to operate in similar spaces, both regulating access to health information. However, HIPAA and the FTC Rule apply to different entities. HIPAA applies to covered entities and their business associates (e.g. health care providers that submit claims electronically, health plans, and health care clearinghouses, and third parties that provide services for or on behalf these types of organizations that generally require access to protected health information) and the FTC Rule applies to businesses not regulated by HIPAA. Therefore, while the regulations operate in similar spaces, the scope of the regulations differs.

For further discussion on the FTC’s policy statement, the Health Breach Notification Rule, and its differentiation from HIPAA, please see our post on Reed Smith’s Technology Law Dispatch.

Biden administration looks to centralize pandemic response in preparedness plan

By Sebnem Dugmeoglu on 21 September 2021 Posted in Department of Health and Human Services

In a report released on September 2, 2021 the Biden administration announced its plan to help prepare the nation for future pandemic threats. In the report, named American Pandemic Preparedness: Transforming Our Capabilities, the administration described what it sees as the vital need to change the nation’s capabilities to better respond to any future pandemics or biological threats.

The report organizes the proposed actions under five pillars: (1) Transforming Medical Defenses, (2) Ensuring Situational Awareness, (3) Strengthening Public Health Systems, (4) Building Core Capabilities, and (5) Managing the Mission

The report calls for action to “not just refill our stockpiles, but also to transform our capabilities.” The report compares the proposed plan to the Apollo space program because of the importance that the administration is placing on the efforts as well as the proposed coordination among agencies and departments.

Ultimately, the administration is planning to create a centralized “mission control” that would work to coordinate resources and expertise from multiple agencies within the Department of Health and Human Services like the National Institutes of Health, Centers for Disease Control and Prevention, Biomedical Advanced Research and Development Authority (a component of the office of the Assistant Secretary for Preparedness and Response), Food and Drug Administration and the Centers for Medicare and Medicare Services, along with other cabinet-level departments such as the Department of Defense, Department of Energy, and the Veterans Administration.

DOJ revises approach to publication and enforcement of guidance documents

By Andrew Sylora on 15 September 2021 Posted in DOJ Developments

On July 1, 2021, the Department of Justice (DOJ) released a memorandum signed by Attorney General Merrick Garland regarding the issuance and use of guidance documents. Addressed to the heads of all DOJ components, the memorandum rescinds two previous DOJ memoranda and outlines the principles governing the DOJ’s revised approach in evaluating guidance documents.

2017 Memorandum

On November 16, 2017, then Attorney General Jeff Sessions published a memorandum entitled “Prohibition on Improper Guidance Documents” (the “2017 Memorandum”). The 2017 Memorandum sought to address instances in which guidance documents published by the DOJ were being used to “effectively bind private parties without undergoing the [notice-and-comment] rulemaking process.” Under the 2017 Memorandum, Attorney General Sessions prohibited publication of guidance documents “that purport to create rights or obligations binding on persons or entities outside the Executive Branch (including state, local and tribal governments).” The 2017 Memorandum directed the DOJ to also adhere to several principles in constructing and publishing guidance documents. These included avoiding the use of mandatory language, specifically noting that voluntary standard non-compliance would not result in enforcement action and including unambiguous statements that published guidance documents were not legally-binding final agency actions.

Brand Memo

Following the 2017 Memorandum, then Associate Attorney General Rachel Brand released a memorandum entitled “Limiting Use of Agency Guidance Documents In Affirmative Civil Enforcement Cases” (the “Brand Memo”). The Brand Memo built upon the publication principles outlined in the 2017 Memorandum and extended them to the DOJ’s legal actions, preventing DOJ lawyers from utilizing non-compliance with guidance documents as a basis for filing a civil lawsuit. While DOJ lawyers could still use guidance documents read by a party as evidence that such party had knowledge of a legal mandate, “that a party fails to comply with agency guidance [documents] expanding upon statutory or regulatory requirements does not mean that the party violated those underlying legal requirements.”

Seventh Circuit adopts Safeco objective reasonableness standard in the context of false claims act cases

By Kristin Parker on 7 September 2021 Posted in Fraud and Abuse Developments

On August 12, 2021, the Seventh Circuit joined the Third, Eighth, Ninth, and D.C. Circuits in holding that the “objective reasonableness” standard for determinations of scienter, as set forth by the Supreme Court in Safeco Insurance Co. of America v. Burr, 551 U.S. 47, 70 (2007), applies in the context of False Claims Act (FCA) litigation. In doing so, the Seventh Circuit observed that, under Safeco, a defendant cannot possess the requisite scienter under the FCA if: (1) it has an objectively reasonable reading of the statute or regulation; and (2) there was no authoritative guidance warning against its view. This case has significant implications for defendants in FCA litigation by finding that an objectively reasonable interpretation of the law will defeat allegations of false claims.

Further, the decision is the latest victory in a spate of cases brought by the plaintiffs’ bar claiming that pharmacies are required to report special prices—such as membership club prices or matched competitor prices—as their usual and customary (U&C) prices. Virtually every pharmacy that has operated a membership club has faced scrutiny through actions under the FCA and consumer-class actions. The Seventh Circuit’s decision comes in the wake of the recent jury verdict in favor of CVS in the matter of Carl Washington (formerly known as Corcoran) et al. v. CVS Pharmacy, Inc., No. 15-cv-03504 (N.D. Ca. Jun. 24, 2021). This victory will support pharmacies’ defenses in other similar litigation alleging the submission of false U&C prices, particularly when the alleged false conduct occurred before 2016, given that the Seventh Circuit found that reporting retail prices—as opposed to special prices such as price matches—was an objectively reasonable approach to U&C reporting.

The Lower Court’s Decision: Continue Reading

No Surprises Act: Time to revisit balance billing prohibitions in hospital-based physician professional services agreements with hospitals?

By Thomas W. Greeson and James F. Hennessy on 3 September 2021 Posted in Department of Health & Human Services Regulations

Effective January 1, 2022, common prohibitions against “balance billing” under hospital professional service contracts will likely become moot due to certain superseding federal prohibitions under the federal No Surprises Act enacted December 27, 2020. As detailed below, certain hospital-based physicians, including radiologists, anesthesiologists, and pathologists, should keep these new federal billing prohibitions in mind when entering into new hospital professional services agreements (“PSAs”) and revisit their existing agreements to determine whether any changes are appropriate.

“No Surprises Act” Background.

The federal government’s growing focus on surprise medical bills reached a new high on July 1, 2021, when the Department of Health and Human Services (“HHS“), along with the Department of Labor and Department of the Treasury, released a consumer-focused interim final rule with comment period taking aim at surprise billing and excessive cost-sharing practices. The rule, which also cites an ineffective “patchwork” of consumer protections under existing state laws, represents the first implementing regulation under the No Surprises Act. Both the rule and the statute become effective on or after January 1, 2022.

Balance Billing Prohibition.

This article discusses two distinct but interwoven billing procedures that deserve clarification: “surprise billing” and “balance billing.”

FDA clarifies evidence and knowledge requirements in intended use final rule

By Kevin Madagan, Sung Park and John D. Kendzior on 26 August 2021 Posted in Food & Drug Administration Regulations

On August 2, 2021, the U.S. Food and Drug Administration (“FDA”) published a final rule amending existing regulations (21 C.F.R. § 201.128 and 21 CFR § 801.4) that describe the types of evidence relevant to determine a drug or device’s intended use under the Food, Drug and Cosmetic Act (“FDCA”). See 86 Fed. Reg. 41,384–85.

This final rule, which takes effect as of September 1, 2021, withdraws and replaces a final rule that FDA promulgated on January 9, 2017, but which never became effective due to an outcry concerning a problematic knowledge provision that was contrary to the statutory scheme of the FDCA and to physicians’ autonomy to use FDA-approved products in an off-label manner.

Prior to the 2021 final rule, FDA issued a proposed rule on September 23, 2020 that eliminated the 2017 rule’s knowledge provision and was much more aligned with FDCA intent and current FDA policy and practice. FDA maintains, and we agree, that August 2021 final rule remains largely unchanged from the 2020 proposed language.

The following is a review of some important changes that FDA regulated entities should take note of as they develop and market FDA regulated products:

HHS authorizes pharmacy technicians and interns to administer flu vaccines

By Matthew Loughran on 16 August 2021 Posted in Department of Health and Human Services

The flurry of Covid-19 vaccine administration that marked the mid spring to early summer resulting in millions of doses administered daily has given way to a steady stream of approximately 700,000 doses of vaccine administered daily, according to some analysis of CDC data.

But now that August has arrived so has the need for regularly scheduled pediatric vaccines to be administered as schools open up again. Also, next month marks the beginning of flu season and its flood of vaccine requests. All of this demand for vaccine administration could threaten to overwhelm some of the pharmacies that have typically been a destination for quick and easy vaccine administration.

On August 4, the HHS officially amended the PREP Act declaration on medical countermeasures against Covid-19 in an effort to stave off any bottle-necking at pharmacies that administer flu vaccines. The declaration amendment, which took immediate effect and last until the end of the public health emergency officially included qualified pharmacy technicians and interns as “qualified persons” permitted to administer seasonal influenza vaccines to adults age 19 and older. Additionally, the amendment officially identifies the same techs and interns as authorized to administer the Covid-19 vaccine as well as pediatric vaccines that are on the Advisory Committee on Immunization Practices (ACIP) schedule.

Health Care Provisions in the Infrastructure Investment and Jobs Act

By Samantha Beck on 4 August 2021 Posted in Legislative Developments

On August 1, 2021, the Senate released the legislative text of the bipartisan infrastructure bill, the “Infrastructure Investment and Jobs Act,” H.R. 3684. The Senate is expected to vote this week, before a month-long recess beginning on August 9, 2021. The 2,702 page legislation contains several relevant health care-related provisions, including a delay of the implementation of the rule eliminating the Anti-Kickback Statute (“AKS”) safe harbor protection for Medicare Part D rebates.

Rebate for Discarded Amounts of Medicare Part B Single-Dose Container or Single-Use Package Drugs

First, the legislation requires manufacturers of single-dose container or single-use package drugs payable under Medicare Part B to provide a rebate to the government for any discarded portion of that drug. The rebates will be charged each quarter, beginning with the first quarter of 2023, and must be paid in regular intervals, as determined appropriate by the Secretary of the U.S. Department of Health and Human Services (“HHS”). The legislation provides that, in order to enforce this provision, HHS will conduct periodic audits of both drug manufacturers and providers who submit claims. For violations of this provision, HHS will impose Civil Monetary Penalties in amounts equal to the sum of the amount that the manufacturer would have paid and twenty-five percent of such amount.

CMS Gives the IPO List the Godfather 3 Treatment

By Matthew Loughran on 27 July 2021 Posted in Centers for Medicare & Medicaid Services Regulations

Just when the procedures thought they were out(patient), CMS pulls them back in(patient).

Last year, in the final CY 2021 Outpatient PPS rule, CMS announced its intention to eliminate the Inpatient Only (IPO) List by January 1, 2024. The IPO list featured more than 1,700 procedures that were surgically invasive or required more than 24 hours of post-operational recovery time. As a result, any procedure on the list would only be paid for by Medicare on an inpatient basis.

With the CY 2021 rule, those procedures would be released to outpatient providers in stages, allowing physicians to clinically determine whether inpatient admission was indicated for a particular procedure.

However, in the proposed CY 2022 Outpatient PPS rule, announced on July 19, 2021, CMS reversed that decision and announced that it will now keep the IPO List, reinstating the 298 procedures that were removed by the 2021 rule. CMS said it was responding to concerns from stakeholders about patient safety. In particular, CMS indicated that the 2021 rule removed the procedures on too steep of a timeline. The agency said it wanted to provide “greater consideration of the impact removing services from the list has on beneficiary safety and to allow providers impacted by the COVID-19 PHE additional time to prepare to furnish appropriate services safely and efficiently before continuing to remove large numbers of services from the list.”

Expansive enforcement of HIPAA Right of Access continues

By Catherine David and Christina Bowen on 20 July 2021 Posted in Department of Health and Human Services, Office for Civil Rights

Starting in 2019, the Department of Health and Human Services Office for Civil Rights (“OCR”) has taken an increased interest in protecting patients’ right of access to protected health information (“PHI”) under the Health Insurance Portability and Accountability Act (“HIPAA”). Over the past twenty months, OCR has announced nineteen settlements under its Right of Access Initiative (“Initiative”), demonstrating OCR’s continued commitment to enforcing patients’ rights. Reed Smith has closely tracked this Initiative. Additional commentary on the Initiative and the associated settlements can be found here, and here.

Under HIPAA, “an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for: (i) psychotherapy notes; and (ii) information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.” Once a request for access has been made, the covered entity must act on the request “no later than 30 days after receipt of the request….” The Initiative focuses on enforcement of these duties under HIPAA and hold to account those who fail to comply.

The first settlement, which was announced on September 9, 2019, arose from a mother’s complaint alleging that Bayfront Health St. Petersburg (“Bayfront”) failed to provide timely access to her child’s prenatal medical records. Bayfront paid $85,000 to OCR and agreed to one year of monitoring to settle the potential violation of the right of access provision of HIPAA. At the time, then-OCR Director Roger Severino stated, “Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law. We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.” This statement and settlement demonstrates that OCR views the Initiative as central in furthering not only the agency’s directive in protecting patient’s rights, but also in making healthcare more affordable and keeping patients informed about their health.

The organizations that have be subject to OCR scrutiny under this initiative vary widely. Since the inception of the Initiative, OCR has taken action against a range of regulated entities, from private practitioners to one of the largest health care systems in the United States. The nineteen settlements targeted covered entities located across a dozen states, and involved varied medical specialties, including, but not limited to, mental health, plastic surgery, pain management, and endocrinology. The complainants that initiated these investigations also reflect the varied contexts in which requests for access are made, such as patients seeking their own PHI, parents requesting their child’s records, and a child asking for her father’s medical records. Although the settlements varied widely under the Initiative (ranging from $3,500 to $200,000), most settlements have been within a range of tens of thousands of dollars. Additionally, all of the nineteen settlements include corrective action plans, which mandate OCR monitoring for a period of one or two years.

In determining the payment of civil monetary penalties (in the event the regulated entity and OCR cannot not come to a settlement), OCR is directed to consider multiple factors including (i) the nature and extent of the HIPAA violation; (ii) the harm resulting from the violation; (iii) the regulated entity’s history with respect to compliance with the HIPAA rules; (iv) the financial condition of the regulated entity, including its size, and (v) recognized security practices.

Noticeably, in many of these cases, the payment of a settlement amount came after OCR provided technical assistance to the regulated entity regarding how to comply with HIPAA right of access requirements in response to a patient complaint. In these instances, the regulated entity’s continued failure to address the request for access resulted in a second complaint, an investigation by OCR, and, ultimately, a financial settlement and additional monitoring.

For example, in March 2021, OCR announced a settlement with The Arbour, Inc (“Arbour”), a Massachusetts-based covered entity provider of behavioral health services. After a patient filed an initial complaint alleging that Arbour failed to take timely action in response to a record request, OCR provided Arbour with technical assistance regarding its right of access duties under HIPAA. Following OCR’s provision of technical assistance, the patient filed a second complaint with OCR claiming that Arbour continued to fail to respond to the patient’s request. In the settlement, Arbour agreed to pay $65,000 and undertake a corrective action plan that included one year of monitoring. At the time the settlement was announced, Acting OCR Director Robinsue Frohboese said, “Health care providers have a duty to provide their patients with timely access to their own health records, and OCR will hold providers accountable to this obligation so that patients can exercise their rights and get needed health information to be active participants in their health care.” In nine of the nineteen settlements under the Initiative, OCR has reported providing technical assistance before enforcement action was taken in response to a second complaint.

An important lesson to the industry is that it is crucial that regulated entities promptly provide patients with requested PHI and respond to OCR if the agency reaches out to provide technical assistance.

Reed Smith will continue to track developments involving the Initiative. Should you have any questions related to this OCR Initiative please do not hesitate to reach out to the health care attorneys at Reed Smith.

Consensus among HHS agencies on addressing social determinants of health through better data capture, interoperability

By Nancy Halstead and Vicki Tankle on 15 July 2021 Posted in Department of Health & Human Services Regulations, Legislative Developments

Over the last decade, members of the medical and public health communities around the world have widely studied and acknowledged the impact of social determinants of health (SDOH)—the conditions in the environments where people live, learn, work, play, and age—on a wide range of health, functioning, and quality-of-life-risks and outcomes.[1] In the past year or so, U.S. federal government policy has made a fundamental shift to align with this notion, focusing in part on better integration of health data and human services data to realize improved health outcomes that patients experience.

This policy shift is highlighted in the U.S. Department of Health & Human Services’ (HHS’) 2020-2025 Federal Health IT Strategic Plan, and is underscored in the Biden Administration’s American Rescue Plan and other policy recommendations that include ways to address SDOH, particularly in the wake of the COVID-19 pandemic. Through these policies and legislative initiatives, we have seen HHS agencies, such as the Office for Civil Rights (“OCR”), the agency that enforces HIPAA, the Office of the National Coordinator for Health Information Technology (“ONC”), the agency charged with coordination of nationwide efforts to implement and use the most advanced health information technology and the electronic exchange of health information, and others, signal that use and disclosure of patient information for certain treatment and health care operations activities, namely care coordination and management, to address SDOH is not only permissible but encouraged at both the individual-level and the population-level.

OCR’s Notice of Proposed Rulemaking (NPRM) published in January 2021, proposes pivotal changes to key standards, definitions, and patient rights under the HIPAA Privacy Rule, which are geared toward promoting care coordination and value-based care, and empowering patients with greater access to their health information. More specifically, in addition to facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises and enhancing flexibilities for disclosures of protected health information (PHI) in emergency or threatening circumstances, such as the opioid and COVID-19 public health emergencies, OCR’s NPRM seeks to clarify the (already existing) scope of a HIPAA covered entity’s ability to disclose PHI to social service agencies, community-based organizations, home and community-based service providers, and other similar third parties providing health-related services in order to facilitate coordination of care and case management for permissible treatment and health care operations purposes under the law. As proposed, the HIPAA Privacy Rule’s definition of “health care operations” would be amended to expressly permit disclosure of PHI for care coordination and case management activities, whether population-based or focused on particular individuals, and without a patient authorization.

If finalized, this clarification would give comfort to covered health care providers and health plans seeking to address SDOH among their patient and member populations that they may use and disclose PHI for these purposes without running afoul of HIPAA. In effect, health care providers who believe that disclosures to certain social service entities are a necessary component of, or may help further, their patient’s health or mental health care may disclose the minimum necessary PHI to such entities without the individual’s authorization. For example, a provider may disclose PHI about a patient needing mental health care supportive housing to a local service agency that arranges such services for individuals, or disclose PHI to a senior center to help coordinate necessary health-related services for a patient such as arranging for a home aide to help the patient with their prescribed at-home prescription or post-discharge treatment protocol. Likewise, a covered health plan may disclose PHI to facilitate care coordination and case management activities as part of the plan’s health care operations, including working closely with community-based organizations and/or multi-disciplinary teams to address SDOH and coordinate comprehensive wraparound services, such as clinical and behavioral health care, social services, and patient advocates to support certain populations, such as senior citizens or people experiencing food insecurity, homelessness, severe mental illness or substance abuse disorders.

Demonstrating consensus around the use of patient information in the clinical context to address SDOH, last week ONC released version 2 of the United States Core Data for Interoperability (“USCDI”), which now includes patient information related to SDOH, as well as sexual orientation and gender identity. USCDI is a standardized set of health data classes and data elements for nationwide, interoperable health information exchange. ONC requires compliance with the USCDI version 1 for health information technology (“IT”) certified to its Health IT Certification Program, 2015 Edition Cure Update in order to establish baseline standards for capturing health information in electronic health records and for exchanging that information with other systems. USCDI version 1 is also incorporated into ONC’s Information Blocking Rule, which prohibits interference with access, exchange, and use of electronic health information by health care providers, health information exchanges and health information networks, and ONC-certified health IT developers. For more information on the Information Blocking Rule, please refer to Reed Smith’s 2021 Health Care Outlook, Information Blocking Webinar Series, and recent Health Industry Washington Watch blog posts.

While compliance with USCDI version 2 is not mandated for ONC-certified health IT at this time or health care providers or systems from a documentation or data sharing perspective, it serves as additional evidence that the activities a HIPAA covered health care provider or health plan undertake to address SDOH can fall within the scope of treatment and health care operations activities consistent with OCR’s proposed clarifications and modifications to the HIPAA Privacy Rule.

Reed Smith is closely tracking the further integration of SDOH data across the health care industry, including with respect to the release of OCR’s final rule. Should you have any questions regarding the impact of these developments on your organization, please contact Nancy B. Halstead, Vicki Tankle, or a member of your Reed Smith health care team.

[1] See Office of Disease Prevention and Health Promotion, Social Determinants of Health (2020), available at https://www.healthypeople.gov/2020/topics-objectives/topic/social-determinants-of-health; U.S. Centers for Disease Control and Prevention, Social Determinants of Health: Know What Affects Health, available at https://www.cdc.gov/socialdeterminants/.

Provider Relief Fund Reporting Portal open for reporting Period 1

By Caitlin Chambers on 1 July 2021 Posted in COVID-19, Department of Health and Human Services

On July 1, 2021, the U.S. Department of Health and Human Services (“HHS”), through the Health Resources and Services Administration (“HRSA”) notified recipients of Provider Relief Fund (“PRF”) payments via e-mail that the PRF Reporting Portal is now open for providers who are required to report on the use of funds in Reporting Period 1 as described by HHS’s June 11, 2021 update to the reporting requirements.

HRSA also provided resource guides and FAQs to assist providers with understanding the reporting requirements and how to access and use the Reporting Portal. HRSA’s resources included a few notable clarifications and confirmations. First, if a provider received multiple payments across multiple time periods, HRSA clarified that the provider must report during each reporting time period which corresponds to the payment received period. In other words, a provider who received and used all of the PRF payments over various time periods is not allowed to report everything in the initial report and will have to file multiple reports. Similarly, HRSA confirmed that a provider may not submit reports early and, instead, must report during the reporting time period that corresponds to the payment received period in accordance with the June 11, 2021 guidance. In addition, HRSA will not notify a provider regarding whether it agrees with the provider’s reporting. Finally, HRSA will not grant extensions to the reporting period and providers who fail to submit a timely report may be subject to recoupment of PRF payments.

Providers can register to attend a recorded webcast hosted by HRSA on July 8, 2021 at 3 PM ET for additional technical assistance on reporting requirements. Should you have any questions related to the PRF reporting requirements and how it may impact your organization, please do not hesitate to reach out to the health care attorneys at Reed Smith.

Office of Civil Rights shares critical cybersecurity guidance amid string of ransomware attacks

By Catherine David on 24 June 2021 Posted in Department of Health and Human Services

On June 9, 2021, the Office of Civil Rights (OCR) shared a cyber-alert containing important updates on how companies can protect their operations from ransomware attacks. The guidance comes from the White House and Cybersecurity and Infrastructure Security Agency. The memo, entitled “What We Urge You To Do To Protect Against The Threat of Ransomware,” addresses the increased frequency and magnitude of ransomware incidents, calling upon the private sector to join the government’s efforts to protect organizations from the growing threat of such attacks.

This memo comes on the heels of President Biden’s Executive Order to improve the nation’s cybersecurity and protect federal government networks — further indicating the prioritization of cybersecurity in the federal government and private entities. In conjunction with providing essential guidance to private entities, the memo also highlights the government’s efforts to develop cohesive and consistent policies towards ransom payments, enable rapid tracing and interdiction of virtual currency proceeds, and work with the international community to hold countries that harbor ransomware actors accountable.

Providing concrete steps private entities can follow, the memo urges companies to do the following to increase cybersecurity: (1) implement the five best practices from the President’s Executive Order, including, for example,: multifactor authentication and data encryption, (2) back up data, regularly test systems and keep backups offline, (3) update and patch systems promptly, (4) test incident response plans, (5) evaluate organizational security team’s practices by using a third-party tester to determine cybersecurity readiness, and (6) segment company networks so that if a network is compromised, the harm is mitigated.

While the memo provides vital and timely guidance on cybersecurity practices to private entities, it generally carries no binding effect. However, the non-binding nature of the memo should not create a false sense of reduced responsibility. OCR has demonstrated that it will collect large monetary settlements from regulated entities that fail to appropriately safeguard their networks and systems from cyberattacks. For example, OCR settled a data breach with CHSPSC LLC (CHSPSC) after information technology (IT) provider permitted hackers to access healthcare provider IT information with compromised administrative credentials. CHSPSC agreed to pay $2.3 million to settle this matter. OCR’s investigation found a history of “systemic noncompliance” with HIPAA security rules by CHSPSC, despite express warning of attempt hacking from the FBI. “The health care industry is a known target for hackers and cyberthieves. The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable,” said Severino.

We will continue to report on any additional guidance provided by OCR as they seek to aid the government in cybersecurity efforts across the public and private sectors. Should you have any questions related to cybersecurity best practices, potential liability, or OCR guidance, please do not hesitate to reach out to the health care attorneys at Reed Smith.

This post was co-authored by Marquan Robertson, a Reed Smith summer associate.

Important updates to provider relief fund reporting requirements

By Craig Anderson on 16 June 2021 Posted in COVID-19, Department of Health and Human Services

On June 11, 2021, the Department of Health and Human Services (“HHS”) announced that it had released revised reporting requirements for those providers and suppliers that have received Provider Relief Fund payments during the COVID-19 pandemic. Readers may recall that HHS previously issued notices on post-payment reporting requirements starting in July 2020, and that previous updates were announced in January 2021. The June 11, 2021 updates (the “Revised Requirements”) supersede previous reporting requirements, which never went into effect.

To whom do these requirements apply?

The post-payment reporting requirements apply to those who received one or more Provider Relief Fund payments exceeding $10,000 during one of the “Payment Received Periods.” In addition to the General Distributions and Targeted Distributions of Provider Relief Fund monies, the Revised Requirements now also include funds received under the Skilled Nursing Facility and Nursing Home Infection Control Distribution.

Recipients have two distinct, overarching reporting obligations based on the Payment Received Period. Specifically, recipients must, within a set period of time, (1) use the funds received and (2) report on the use of such funds. Generally speaking, the Revised Requirements extend the time period in which certain funds must be used (the previous deadline to use all such funds was June 30, 2021) and allow for a longer time period to complete reporting (90 days instead of 30 days).

The table below is a summary of the reporting requirements and deadlines:

How is reporting done? What must be reported?

Reports must be submitted through the Provider Relief Fund Reporting Portal, which will open on July, 1, 2021. Reports are to be made in accordance with the entity’s normal basis of accounting. Details regarding the information that must be reported are found in the Revised Requirements, but generally the information includes “data elements” related to the business and its subsidiaries, interest earned on Provider Relief Fund payments, other assistance received, use/application of funds, lost revenues attributable to coronavirus, and certain personnel, patient, and facility metrics. A copy of the Revised Requirements is available here. For additional information on how the Revised Requirements might impact you, please reach out to the health care attorneys at Reed Smith.

Patient Right of Access Under HIPAA and Increased Enforcement

By Alyssa Chai on 8 June 2021 Posted in Office for Civil Rights

This post was also written by Marquan Robertson, a Reed Smith summer associate.

In 2019, the Department of Health and Human Services Office of Civil Rights (OCR) announced its Right of Access Initiative. The Right of Access Initiative realizes OCR’s commitment to ensuring the aggressive enforcement of patients’ rights to receive copies of their medical records. Enforcement of the initiative applies to all organizations required to comply with HIPAA standards.

HIPAA regulations stipulate that “an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for: (i) psychotherapy notes; and (ii) information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.”

Staying true to the spirit of its Right of Access Initiative, OCR recently settled its nineteenth investigation with the Diabetes, Endocrinology & Lipidology Center, Inc. (DELC). DELC is a health care provider for endocrine disorders in West Virginia. OCR’s investigation stemmed from an August 2019 complaint in which a mother alleged that DELC failed to deliver medical records for her minor child in a timely manner. Despite the complaint coming just a month after failed delivery of the requested medical records, copies were not provided to the mother until May 2021—almost two years after the initial request. DELC signed a resolution agreement following OCR’s investigation, agreeing to pay $5,000 and to undertake a corrective action plan featuring two years of continuous monitoring.

We have previously reported on OCR’s vigorous enforcement of its Right of Access Initiative, trending toward increased patient rights. These previously published articles are available here and here. The articles highlight multiple OCR settlements and OCR’s recent push for interoperability among health care providers. Moreover, the Office of the National Coordinator for Health Information Technology and Centers for Medicare & Medicaid Services, in conjunction with the Department of Health and Human Services Office of the Inspector General, have led the way for increased monitoring and compliance standards through various rule proposals. These proposals call for the implementation of technology that promotes electronic access, exchange, and the use of health information to move the national health care system toward greater interoperability.

Patient rights and accessibility are at the forefront of OCR’s mind. “Covered entities owe it to their patients to provide timely access to medical records,” said Acting OCR Director Robinsue Frohboese in announcing the DELC settlement. OCR takes patient complaints seriously and has demonstrated that stiff fines will follow for HIPAA-regulated entities that fail to take expeditious action on requests from patients for access to their information.

We will continue to monitor enforcement patterns, trends, and other developments by the OCR’s Right of Access Initiative. Should you have any questions related to the Right of Access Initiative or OCR enforcement, please do not hesitate to reach out to the health care attorneys at Reed Smith.