FDA codifies requirements for the medical device De Novo classification process

On October 5, 2021, the U.S. Food and Drug Administration (“FDA”) published a final rule to establish requirements for the medical device De Novo classification process under the Federal Food, Drug, and Cosmetic Act.

The final rule, which takes effect January 3, 2022, comes nearly three years after the FDA first proposed it and, notably, sets forth the procedures and criteria for a manufacturer’s voluntary submission and withdrawal of a De Novo request.  Additionally, the rule clarifies how agency staff intends to accept and review the requests, as well as how FDA staff will determine whether to grant or decline the requests.  Finally, the rule also provides a way for combination products to use the De Novo pathway.

Useful for novel, low risk medical devices

The implementation of the De Novo classification process is especially significant for manufacturers of novel, low-risk medical devices.  Prior to the De Novo program, which was created in 1997, any device that lacked a predicate automatically became designated as a Class III device and, therefore, required premarket approval to legally reach the market.  Because this premarket pathway is designed to regulate the riskiest category of devices, manufacturers typically had to endure longer than anticipated wait times for approval of their low-risk devices.

Continue Reading

FTC warns non-HIPAA covered entities to comply with Health Breach Notification Rule

In an increasingly digital and interconnected world, the privacy and security of personal information is a significant concern. Applications and connected devices collect a bevy of personal information from consumers, including sensitive information about consumers’ health. Because of the sensitivity of health information, the United States has developed a variety of legal protections and enforcement mechanisms regarding the privacy and security of health information, including state and federal law, regulations, and federal agency guidance. At times, these legal protections and enforcement mechanisms intersect, bringing the enforcement powers of multiple federal regulations and agencies to bear to protect the privacy and security of consumers’ health information.

On September 15, 2021, the Federal Trade Commission (“FTC”) released a policy statement addressing the scope of the FTC’s Health Breach Notification Rule with respect to applications and connected devices that collect health information. At first glance, the FTC’s Health Breach Notification Rule and the privacy provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) and its implementing regulations appear to operate in similar spaces, both regulating access to health information. However, HIPAA and the FTC Rule apply to different entities. HIPAA applies to covered entities and their business associates (e.g. health care providers that submit claims electronically, health plans, and health care clearinghouses, and third parties that provide services for or on behalf these types of organizations that generally require access to protected health information) and the FTC Rule applies to businesses not regulated by HIPAA. Therefore, while the regulations operate in similar spaces, the scope of the regulations differs.

For further discussion on the FTC’s policy statement, the Health Breach Notification Rule, and its differentiation from HIPAA, please see our post on Reed Smith’s Technology Law Dispatch.

Biden administration looks to centralize pandemic response in preparedness plan

In a report released on September 2, 2021 the Biden administration announced its plan to help prepare the nation for future pandemic threats. In the report, named American Pandemic Preparedness: Transforming Our Capabilities, the administration described what it sees as the vital need to change the nation’s capabilities to better respond to any future pandemics or biological threats.

The report organizes the proposed actions under five pillars: (1) Transforming Medical Defenses, (2) Ensuring Situational Awareness, (3) Strengthening Public Health Systems, (4) Building Core Capabilities, and (5) Managing the Mission

The report calls for action to “not just refill our stockpiles, but also to transform our capabilities.” The report compares the proposed plan to the Apollo space program because of the importance that the administration is placing on the efforts as well as the proposed coordination among agencies and departments.

Ultimately, the administration is planning to create a centralized “mission control” that would work to coordinate resources and expertise from multiple agencies within the Department of Health and Human Services like the National Institutes of Health, Centers for Disease Control and Prevention, Biomedical Advanced Research and Development Authority (a component of the office of the Assistant Secretary for Preparedness and Response), Food and Drug Administration and the Centers for Medicare and Medicare Services, along with other cabinet-level departments such as the Department of Defense, Department of Energy, and the Veterans Administration.

Continue Reading

DOJ revises approach to publication and enforcement of guidance documents

On July 1, 2021, the Department of Justice (DOJ) released a memorandum signed by Attorney General Merrick Garland regarding the issuance and use of guidance documents. Addressed to the heads of all DOJ components, the memorandum rescinds two previous DOJ memoranda and outlines the principles governing the DOJ’s revised approach in evaluating guidance documents.

2017 Memorandum

On November 16, 2017, then Attorney General Jeff Sessions published a memorandum entitled “Prohibition on Improper Guidance Documents” (the “2017 Memorandum”). The 2017 Memorandum sought to address instances in which guidance documents published by the DOJ were being used to “effectively bind private parties without undergoing the [notice-and-comment] rulemaking process.” Under the 2017 Memorandum, Attorney General Sessions prohibited publication of guidance documents “that purport to create rights or obligations binding on persons or entities outside the Executive Branch (including state, local and tribal governments).”  The 2017 Memorandum directed the DOJ to also adhere to several principles in constructing and publishing guidance documents. These included avoiding the use of mandatory language, specifically noting that voluntary standard non-compliance would not result in enforcement action and including unambiguous statements that published guidance documents were not legally-binding final agency actions.

Brand Memo

Following the 2017 Memorandum, then Associate Attorney General Rachel Brand released a memorandum entitled “Limiting Use of Agency Guidance Documents In Affirmative Civil Enforcement Cases” (the “Brand Memo”). The Brand Memo built upon the publication principles outlined in the 2017 Memorandum and extended them to the DOJ’s legal actions, preventing DOJ lawyers from utilizing non-compliance with guidance documents as a basis for filing a civil lawsuit. While DOJ lawyers could still use guidance documents read by a party as evidence that such party had knowledge of a legal mandate, “that a party fails to comply with agency guidance [documents] expanding upon statutory or regulatory requirements does not mean that the party violated those underlying legal requirements.”

Continue Reading

Seventh Circuit adopts Safeco objective reasonableness standard in the context of false claims act cases

On August 12, 2021, the Seventh Circuit joined the Third, Eighth, Ninth, and D.C. Circuits in holding that the “objective reasonableness” standard for determinations of scienter, as set forth by the Supreme Court in Safeco Insurance Co. of America v. Burr, 551 U.S. 47, 70 (2007), applies in the context of False Claims Act (FCA) litigation.  In doing so, the Seventh Circuit observed that, under Safeco, a defendant cannot possess the requisite scienter under the FCA if: (1) it has an objectively reasonable reading of the statute or regulation; and (2) there was no authoritative guidance warning against its view.  This case has significant implications for defendants in FCA litigation by finding that an objectively reasonable interpretation of the law will defeat allegations of false claims.

Further, the decision is the latest victory in a spate of cases brought by the plaintiffs’ bar claiming that pharmacies are required to report special prices—such as membership club prices or matched competitor prices—as their usual and customary (U&C) prices. Virtually every pharmacy that has operated a membership club has faced scrutiny through actions under the FCA and consumer-class actions. The Seventh Circuit’s decision comes in the wake of the recent jury verdict in favor of CVS in the matter of Carl Washington (formerly known as Corcoran) et al. v. CVS Pharmacy, Inc., No. 15-cv-03504 (N.D. Ca. Jun. 24, 2021).   This victory will support pharmacies’ defenses in other similar litigation alleging the submission of false U&C prices, particularly when the alleged false conduct occurred before 2016, given that the Seventh Circuit found that reporting retail prices—as opposed to special prices such as price matches—was an objectively reasonable approach to U&C reporting.

The Lower Court’s Decision: Continue Reading

No Surprises Act: Time to revisit balance billing prohibitions in hospital-based physician professional services agreements with hospitals?

Effective January 1, 2022, common prohibitions against “balance billing” under hospital professional service contracts will likely become moot due to certain superseding federal prohibitions under the federal No Surprises Act enacted December 27, 2020.  As detailed below, certain hospital-based physicians, including radiologists, anesthesiologists, and pathologists, should keep these new federal billing prohibitions in mind when entering into new hospital professional services agreements (“PSAs”) and revisit their existing agreements to determine whether any changes are appropriate.

“No Surprises Act” Background.

The federal government’s growing focus on surprise medical bills reached a new high on July 1, 2021, when the Department of Health and Human Services (“HHS“), along with the Department of Labor and Department of the Treasury, released a consumer-focused interim final rule with comment period taking aim at surprise billing and excessive cost-sharing practices.  The rule, which also cites an ineffective “patchwork” of consumer protections under existing state laws, represents the first implementing regulation under the No Surprises Act.  Both the rule and the statute become effective on or after January 1, 2022.

Balance Billing Prohibition.

This article discusses two distinct but interwoven billing procedures that deserve clarification: “surprise billing” and “balance billing.”

Continue Reading

FDA clarifies evidence and knowledge requirements in intended use final rule

On August 2, 2021, the U.S. Food and Drug Administration (“FDA”)  published a final rule amending existing regulations (21 C.F.R. § 201.128 and 21 CFR § 801.4) that describe the types of evidence relevant to determine a drug or device’s intended use under the Food, Drug and Cosmetic Act (“FDCA”).  See 86 Fed. Reg. 41,384–85.

This final rule, which takes effect as of September 1, 2021, withdraws and replaces a final rule that FDA promulgated on January 9, 2017, but which never became effective due to an outcry concerning a problematic knowledge provision that was contrary to the statutory scheme of the FDCA and to physicians’ autonomy to use FDA-approved products in an off-label manner.

Prior to the 2021 final rule, FDA issued a proposed rule on September 23, 2020 that eliminated the 2017 rule’s knowledge provision and was much more aligned with FDCA intent and current FDA policy and practice.  FDA maintains, and we agree, that August 2021 final rule remains largely unchanged from the 2020 proposed language.

The following is a review of some important changes that FDA regulated entities should take note of as they develop and market FDA regulated products:

Continue Reading

HHS authorizes pharmacy technicians and interns to administer flu vaccines

The flurry of Covid-19 vaccine administration that marked the mid spring to early summer resulting in millions of doses administered daily has given way to a steady stream of approximately 700,000 doses of vaccine administered daily, according to some analysis of CDC data.

But now that August has arrived so has the need for regularly scheduled pediatric vaccines to be administered as schools open up again. Also, next month marks the beginning of flu season and its flood of vaccine requests. All of this demand for vaccine administration could threaten to overwhelm some of the pharmacies that have typically been a destination for quick and easy vaccine administration.

On August 4, the HHS officially amended the PREP Act declaration on medical countermeasures against Covid-19 in an effort to stave off any bottle-necking at pharmacies that administer flu vaccines. The declaration amendment, which took immediate effect and last until the end of the public health emergency officially included qualified pharmacy technicians and interns  as “qualified persons” permitted to administer seasonal influenza vaccines to adults age 19 and older. Additionally, the amendment officially identifies the same techs and interns as authorized to administer the Covid-19 vaccine as well as pediatric vaccines that are on the Advisory Committee on Immunization Practices (ACIP) schedule.

Continue Reading

Health Care Provisions in the Infrastructure Investment and Jobs Act

On August 1, 2021, the Senate released the legislative text of the bipartisan infrastructure bill, the “Infrastructure Investment and Jobs Act,” H.R. 3684.  The Senate is expected to vote this week, before a month-long recess beginning on August 9, 2021.  The 2,702 page legislation contains several relevant health care-related provisions, including a delay of the implementation of the rule eliminating the Anti-Kickback Statute (“AKS”) safe harbor protection for Medicare Part D rebates.

Rebate for Discarded Amounts of Medicare Part B Single-Dose Container or Single-Use Package Drugs

First, the legislation requires manufacturers of single-dose container or single-use package drugs payable under Medicare Part B to provide a rebate to the government for any discarded portion of that drug.  The rebates will be charged each quarter, beginning with the first quarter of 2023, and must be paid in regular intervals, as determined appropriate by the Secretary of the U.S. Department of Health and Human Services (“HHS”).  The legislation provides that, in order to enforce this provision, HHS will conduct periodic audits of both drug manufacturers and providers who submit claims.  For violations of this provision, HHS will impose Civil Monetary Penalties in amounts equal to the sum of the amount that the manufacturer would have paid and twenty-five percent of such amount.

Continue Reading

CMS Gives the IPO List the Godfather 3 Treatment

Just when the procedures thought they were out(patient), CMS pulls them back in(patient).

Last year, in the final CY 2021 Outpatient PPS rule, CMS announced its intention to eliminate the Inpatient Only (IPO) List by January 1, 2024. The IPO list featured more than 1,700 procedures that were surgically invasive or required more than 24 hours of post-operational recovery time. As a result, any procedure on the list would only be paid for by Medicare on an inpatient basis.

With the CY 2021 rule, those procedures would be released to outpatient providers in stages, allowing physicians to clinically determine whether inpatient admission was indicated for a particular procedure.

However, in the proposed CY 2022 Outpatient PPS rule, announced on July 19, 2021, CMS reversed that decision and announced that it will now keep the IPO List, reinstating the 298 procedures that were removed by the 2021 rule. CMS said it was responding to concerns from stakeholders about patient safety. In particular, CMS indicated that the 2021 rule removed the procedures on too steep of a timeline. The agency said it wanted to provide “greater consideration of the impact removing services from the list has on beneficiary safety and to allow providers impacted by the COVID-19 PHE additional time to prepare to furnish appropriate services safely and efficiently before continuing to remove large numbers of services from the list.”

Continue Reading

Expansive enforcement of HIPAA Right of Access continues

Starting in 2019, the Department of Health and Human Services Office for Civil Rights (“OCR”) has taken an increased interest in protecting patients’ right of access to protected health information (“PHI”) under the Health Insurance Portability and Accountability Act (“HIPAA”). Over the past twenty months, OCR has announced nineteen settlements under its Right of Access Initiative (“Initiative”), demonstrating OCR’s continued commitment to enforcing patients’ rights. Reed Smith has closely tracked this Initiative. Additional commentary on the Initiative and the associated settlements can be found here, and here.

Under HIPAA, “an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for: (i) psychotherapy notes; and (ii) information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.” Once a request for access has been made, the covered entity must act on the request “no later than 30 days after receipt of the request….” The Initiative focuses on enforcement of these duties under HIPAA and hold to account those who fail to comply.

The first settlement, which was announced on September 9, 2019, arose from a mother’s complaint alleging that Bayfront Health St. Petersburg (“Bayfront”) failed to provide timely access to her child’s prenatal medical records. Bayfront paid $85,000 to OCR and agreed to one year of monitoring to settle the potential violation of the right of access provision of HIPAA. At the time, then-OCR Director Roger Severino stated, “Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law. We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.” This statement and settlement demonstrates that OCR views the Initiative as central in furthering not only the agency’s directive in protecting patient’s rights, but also in making healthcare more affordable and keeping patients informed about their health.

The organizations that have be subject to OCR scrutiny under this initiative vary widely. Since the inception of the Initiative, OCR has taken action against a range of regulated entities, from private practitioners to one of the largest health care systems in the United States. The nineteen settlements targeted covered entities located across a dozen states, and involved varied medical specialties, including, but not limited to, mental health, plastic surgery, pain management, and endocrinology. The complainants that initiated these investigations also reflect the varied contexts in which requests for access are made, such as patients seeking their own PHI, parents requesting their child’s records, and a child asking for her father’s medical records. Although the settlements varied widely under the Initiative (ranging from $3,500 to $200,000), most settlements have been within a range of tens of thousands of dollars. Additionally, all of the nineteen settlements include corrective action plans, which mandate OCR monitoring for a period of one or two years.

In determining the payment of civil monetary penalties (in the event the regulated entity and OCR cannot not come to a settlement), OCR is directed to consider multiple factors including (i) the nature and extent of the HIPAA violation; (ii) the harm resulting from the violation; (iii) the regulated entity’s history with respect to compliance with the HIPAA rules; (iv) the financial condition of the regulated entity, including its size, and (v) recognized security practices.

Noticeably, in many of these cases, the payment of a settlement amount came after OCR provided technical assistance to the regulated entity regarding how to comply with HIPAA right of access requirements in response to a patient complaint. In these instances, the regulated entity’s continued failure to address the request for access resulted in a second complaint, an investigation by OCR, and, ultimately, a financial settlement and additional monitoring.

For example, in March 2021, OCR announced a settlement with The Arbour, Inc (“Arbour”), a Massachusetts-based covered entity provider of behavioral health services. After a patient filed an initial complaint alleging that Arbour failed to take timely action in response to a record request, OCR provided Arbour with technical assistance regarding its right of access duties under HIPAA. Following OCR’s provision of technical assistance, the patient filed a second complaint with OCR claiming that Arbour continued to fail to respond to the patient’s request. In the settlement, Arbour agreed to pay $65,000 and undertake a corrective action plan that included one year of monitoring. At the time the settlement was announced, Acting OCR Director Robinsue Frohboese said, “Health care providers have a duty to provide their patients with timely access to their own health records, and OCR will hold providers accountable to this obligation so that patients can exercise their rights and get needed health information to be active participants in their health care.” In nine of the nineteen settlements under the Initiative, OCR has reported providing technical assistance before enforcement action was taken in response to a second complaint.

An important lesson to the industry is that it is crucial that regulated entities promptly provide patients with requested PHI and respond to OCR if the agency reaches out to provide technical assistance.

 

Reed Smith will continue to track developments involving the Initiative. Should you have any questions related to this OCR Initiative please do not hesitate to reach out to the health care attorneys at Reed Smith.

Consensus among HHS agencies on addressing social determinants of health through better data capture, interoperability

Over the last decade, members of the medical and public health communities around the world have widely studied and acknowledged the impact of social determinants of health (SDOH)—the conditions in the environments where people live, learn, work, play, and age—on a wide range of health, functioning, and quality-of-life-risks and outcomes.[1]  In the past year or so, U.S. federal government policy has made a fundamental shift to align with this notion, focusing in part on better integration of health data and human services data to realize improved health outcomes that patients experience.

This policy shift is highlighted in the U.S. Department of Health & Human Services’ (HHS’) 2020-2025 Federal Health IT Strategic Plan, and is underscored in the Biden Administration’s American Rescue Plan and other policy recommendations that include ways to address SDOH, particularly in the wake of the COVID-19 pandemic. Through these policies and legislative initiatives, we have seen HHS agencies, such as the Office for Civil Rights (“OCR”), the agency that enforces HIPAA, the Office of the National Coordinator for Health Information Technology (“ONC”), the agency charged with coordination of nationwide efforts to implement and use the most advanced health information technology and the electronic exchange of health information, and others, signal that use and disclosure of patient information for certain treatment and health care operations activities, namely care coordination and management, to address SDOH is not only permissible but encouraged at both the individual-level and the population-level.

OCR’s Notice of Proposed Rulemaking (NPRM) published in January 2021, proposes pivotal changes to key standards, definitions, and patient rights under the HIPAA Privacy Rule, which are geared toward promoting care coordination and value-based care, and empowering patients with greater access to their health information.  More specifically, in addition to facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises and enhancing flexibilities for disclosures of protected health information (PHI) in emergency or threatening circumstances, such as the opioid and COVID-19 public health emergencies, OCR’s NPRM seeks to clarify the (already existing) scope of a HIPAA covered entity’s ability to disclose PHI to social service agencies, community-based organizations, home and community-based service providers, and other similar third parties providing health-related services in order to facilitate coordination of care and case management for permissible treatment and health care operations purposes under the law.  As proposed, the HIPAA Privacy Rule’s definition of “health care operations” would be amended to expressly permit disclosure of PHI for care coordination and case management activities, whether population-based or focused on particular individuals, and without a patient authorization.

If finalized, this clarification would give comfort to covered health care providers and health plans seeking to address SDOH among their patient and member populations that they may use and disclose PHI for these purposes without running afoul of HIPAA.  In effect, health care providers who believe that disclosures to certain social service entities are a necessary component of, or may help further, their patient’s health or mental health care may disclose the minimum necessary PHI to such entities without the individual’s authorization. For example, a provider may disclose PHI about a patient needing mental health care supportive housing to a local service agency that arranges such services for individuals, or disclose PHI to a senior center to help coordinate necessary health-related services for a patient such as arranging for a home aide to help the patient with their prescribed at-home prescription or post-discharge treatment protocol.  Likewise, a covered health plan may disclose PHI to facilitate care coordination and case management activities as part of the plan’s health care operations, including working closely with community-based organizations and/or multi-disciplinary teams to address SDOH and coordinate comprehensive wraparound services, such as clinical and behavioral health care, social services, and patient advocates to support certain populations, such as senior citizens or people experiencing food insecurity, homelessness, severe mental illness or substance abuse disorders.

Demonstrating consensus around the use of patient information in the clinical context to address SDOH, last week ONC released version 2 of the United States Core Data for Interoperability (“USCDI”), which now includes patient information related to SDOH, as well as sexual orientation and gender identity.  USCDI is a standardized set of health data classes and data elements for nationwide, interoperable health information exchange.  ONC requires compliance with the USCDI version 1 for health information technology (“IT”) certified to its Health IT Certification Program, 2015 Edition Cure Update in order to establish baseline standards for capturing health information in electronic health records and for exchanging that information with other systems.  USCDI version 1 is also incorporated into ONC’s Information Blocking Rule, which prohibits interference with access, exchange, and use of electronic health information by health care providers, health information exchanges and health information networks, and ONC-certified health IT developers.  For more information on the Information Blocking Rule, please refer to Reed Smith’s 2021 Health Care Outlook, Information Blocking Webinar Series, and recent Health Industry Washington Watch blog posts.

While compliance with USCDI version 2 is not mandated for ONC-certified health IT at this time or health care providers or systems from a documentation or data sharing perspective, it serves as additional evidence that the activities a HIPAA covered health care provider or health plan undertake to address SDOH can fall within the scope of treatment and health care operations activities consistent with OCR’s proposed clarifications and modifications to the HIPAA Privacy Rule.

 

Reed Smith is closely tracking the further integration of SDOH data across the health care industry, including with respect to the release of OCR’s final rule.  Should you have any questions regarding the impact of these developments on your organization, please contact Nancy B. Halstead, Vicki Tankle, or a member of your Reed Smith health care team.

 

[1] See Office of Disease Prevention and Health Promotion, Social Determinants of Health (2020), available at https://www.healthypeople.gov/2020/topics-objectives/topic/social-determinants-of-health; U.S. Centers for Disease Control and Prevention, Social Determinants of Health: Know What Affects Health, available at https://www.cdc.gov/socialdeterminants/.

Provider Relief Fund Reporting Portal open for reporting Period 1

On July 1, 2021, the U.S. Department of Health and Human Services (“HHS”), through the Health Resources and Services Administration (“HRSA”) notified recipients of Provider Relief Fund (“PRF”) payments via e-mail that the PRF Reporting Portal is now open for providers who are required to report on the use of funds in Reporting Period 1 as described by HHS’s June 11, 2021 update to the reporting requirements.

HRSA also provided resource guides and FAQs to assist providers with understanding the reporting requirements and how to access and use the Reporting Portal. HRSA’s resources included a few notable clarifications and confirmations. First, if a provider received multiple payments across multiple time periods, HRSA clarified that the provider must report during each reporting time period which corresponds to the payment received period. In other words, a provider who received and used all of the PRF payments over various time periods is not allowed to report everything in the initial report and will have to file multiple reports. Similarly, HRSA confirmed that a provider may not submit reports early and, instead, must report during the reporting time period that corresponds to the payment received period in accordance with the June 11, 2021 guidance. In addition, HRSA will not notify a provider regarding whether it agrees with the provider’s reporting. Finally, HRSA will not grant extensions to the reporting period and providers who fail to submit a timely report may be subject to recoupment of PRF payments.

Providers can register to attend a recorded webcast hosted by HRSA on July 8, 2021 at 3 PM ET for additional technical assistance on reporting requirements. Should you have any questions related to the PRF reporting requirements and how it may impact your organization, please do not hesitate to reach out to the health care attorneys at Reed Smith.

Office of Civil Rights shares critical cybersecurity guidance amid string of ransomware attacks

On June 9, 2021, the Office of Civil Rights (OCR) shared a cyber-alert containing important updates on how companies can protect their operations from ransomware attacks. The guidance comes from the White House and Cybersecurity and Infrastructure Security Agency. The memo, entitled “What We Urge You To Do To Protect Against The Threat of Ransomware,” addresses the increased frequency and magnitude of ransomware incidents, calling upon the private sector to join the government’s efforts to protect organizations from the growing threat of such attacks.

This memo comes on the heels of President Biden’s Executive Order to improve the nation’s cybersecurity and protect federal government networks — further indicating the prioritization of cybersecurity in the federal government and private entities. In conjunction with providing essential guidance to private entities, the memo also highlights the government’s efforts to develop cohesive and consistent policies towards ransom payments, enable rapid tracing and interdiction of virtual currency proceeds, and work with the international community to hold countries that harbor ransomware actors accountable.

Providing concrete steps private entities can follow, the memo urges companies to do the following to increase cybersecurity: (1) implement the five best practices from the President’s Executive Order, including, for example,: multifactor authentication and data encryption, (2) back up data,  regularly test systems and keep backups offline, (3) update and patch systems promptly, (4) test incident response plans, (5) evaluate organizational security team’s practices by using a third-party tester to determine cybersecurity readiness, and (6) segment company networks so that if a network is compromised, the harm is mitigated.

While the memo provides vital and timely guidance on cybersecurity practices to private entities, it generally carries no binding effect. However, the non-binding nature of the memo should not create a false sense of reduced responsibility. OCR has demonstrated that it will collect large monetary settlements from regulated entities that fail to appropriately safeguard their networks and systems from cyberattacks. For example, OCR settled a data breach with CHSPSC LLC (CHSPSC) after information technology (IT) provider permitted hackers to access healthcare provider IT information with compromised administrative credentials. CHSPSC agreed to pay $2.3 million to settle this matter. OCR’s investigation found a history of “systemic noncompliance” with HIPAA security rules by CHSPSC, despite express warning of attempt hacking from the FBI. “The health care industry is a known target for hackers and cyberthieves. The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable,” said Severino.

We will continue to report on any additional guidance provided by OCR as they seek to aid the government in cybersecurity efforts across the public and private sectors. Should you have any questions related to cybersecurity best practices, potential liability, or OCR guidance, please do not hesitate to reach out to the health care attorneys at Reed Smith.

This post was co-authored by Marquan Robertson, a Reed Smith summer associate.

Important updates to provider relief fund reporting requirements

On June 11, 2021, the Department of Health and Human Services (“HHS”) announced that it had released revised reporting requirements for those providers and suppliers that have received Provider Relief Fund payments during the COVID-19 pandemic. Readers may recall that HHS previously issued notices on post-payment reporting requirements starting in July 2020, and that previous updates were announced in January 2021. The June 11, 2021 updates (the “Revised Requirements”) supersede previous reporting requirements, which never went into effect.

To whom do these requirements apply?

The post-payment reporting requirements apply to those who received one or more Provider Relief Fund payments exceeding $10,000 during one of the “Payment Received Periods.” In addition to the General Distributions and Targeted Distributions of Provider Relief Fund monies, the Revised Requirements now also include funds received under the Skilled Nursing Facility and Nursing Home Infection Control Distribution.

Recipients have two distinct, overarching reporting obligations based on the Payment Received Period. Specifically, recipients must, within a set period of time, (1) use the funds received and (2) report on the use of such funds. Generally speaking, the Revised Requirements extend the time period in which certain funds must be used (the previous deadline to use all such funds was June 30, 2021) and allow for a longer time period to complete reporting (90 days instead of 30 days).

The table below is a summary of the reporting requirements and deadlines:

How is reporting done? What must be reported?

Reports must be submitted through the Provider Relief Fund Reporting Portal, which will open on July, 1, 2021. Reports are to be made in accordance with the entity’s normal basis of accounting. Details regarding the information that must be reported are found in the Revised Requirements, but generally the information includes “data elements” related to the business and its subsidiaries, interest earned on Provider Relief Fund payments, other assistance received, use/application of funds, lost revenues attributable to coronavirus, and certain personnel, patient, and facility metrics. A copy of the Revised Requirements is available here. For additional information on how the Revised Requirements might impact you, please reach out to the health care attorneys at Reed Smith.

Patient Right of Access Under HIPAA and Increased Enforcement

This post was also written by Marquan Robertson, a Reed Smith summer associate. 

In 2019, the Department of Health and Human Services Office of Civil Rights (OCR) announced its Right of Access Initiative. The Right of Access Initiative realizes OCR’s commitment to ensuring the aggressive enforcement of patients’ rights to receive copies of their medical records. Enforcement of the initiative applies to all organizations required to comply with HIPAA standards.

HIPAA regulations stipulate that “an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for: (i) psychotherapy notes; and (ii) information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.”

Staying true to the spirit of its Right of Access Initiative, OCR recently settled its nineteenth investigation with the Diabetes, Endocrinology & Lipidology Center, Inc. (DELC). DELC is a health care provider for endocrine disorders in West Virginia. OCR’s investigation stemmed from an August 2019 complaint in which a mother alleged that DELC failed to deliver medical records for her minor child in a timely manner. Despite the complaint coming just a month after failed delivery of the requested medical records, copies were not provided to the mother until May 2021—almost two years after the initial request. DELC signed a resolution agreement following OCR’s investigation, agreeing to pay $5,000 and to undertake a corrective action plan featuring two years of continuous monitoring.

We have previously reported on OCR’s vigorous enforcement of its Right of Access Initiative, trending toward increased patient rights. These previously published articles are available here and here. The articles highlight multiple OCR settlements and OCR’s recent push for interoperability among health care providers. Moreover, the Office of the National Coordinator for Health Information Technology and Centers for Medicare & Medicaid Services, in conjunction with the Department of Health and Human Services Office of the Inspector General, have led the way for increased monitoring and compliance standards through various rule proposals. These proposals call for the implementation of technology that promotes electronic access, exchange, and the use of health information to move the national health care system toward greater interoperability.

Patient rights and accessibility are at the forefront of OCR’s mind. “Covered entities owe it to their patients to provide timely access to medical records,” said Acting OCR Director Robinsue Frohboese in announcing the DELC settlement. OCR takes patient complaints seriously and has demonstrated that stiff fines will follow for HIPAA-regulated entities that fail to take expeditious action on requests from patients for access to their information.

We will continue to monitor enforcement patterns, trends, and other developments by the OCR’s Right of Access Initiative. Should you have any questions related to the Right of Access Initiative or OCR enforcement, please do not hesitate to reach out to the health care attorneys at Reed Smith.

Reed Smith Outlook: U.S. Health Care 2021

We recently released the 2021 U.S. Health Care Outlook digital white paper, an industry trends report written by numerous lawyers on our health care team. The Health Care Outlook gives an in-depth look at the major regulatory issues that life science and health care companies can expect to face throughout the rest of this year and beyond. The white paper includes sections on: post-COVID trends and lessons learned; the future of value-based care; the intersection of health care and data; and the evolving environment of health care delivery. We expect these issues will have a significant impact on the life science and health care industry and are important for companies operating or investing in the sector to understand. Please take a look at the report for more information on these exciting new health trends.

 

HHS, acting U.S. Attorney, and California Attorney General issue joint warning of the potential consequences of charging patients for COVID-19 vaccines

On May 18, 2021, in a statement issued by the U.S. Department of Health and Human Services’ (HHS) Office of Inspector General, Acting U.S. Attorney for the Eastern District of California, Phillip Talbert, and California Attorney General, Rob Bonta (the Statement), the health care industry was reminded of the prohibition against charging individuals for COVID-19 vaccines (the Vaccine(s)). The Statement reinforced the Centers for Disease Control and Prevention’s (CDC) mandate that administration of the Vaccine should come at no personal cost to the recipient. The CDC instructs participants that they must (1) administer the Vaccines regardless of a recipient’s ability to pay administration fees or coverage status, (2) provide Vaccines at no out-of-pocket cost to the recipient, and (3) may seek appropriate reimbursement from an appropriate program or plan, such as the recipients insurance policy or the Health Resources and Services Administration’s COVID-19 Uninsured Program, which covers Vaccine administration fees associated with uninsured individuals.

The Statement issued this month comes after the California Attorney General’s office received allegations that entities administering the Vaccine had been charging as much as $45 in out-of-pocket fees to recipients. This reminder serves as a warning of the possible legal consequences of seeking payment directly from individuals for the Vaccine. Such entities could be subject to investigation by the U.S. Department of Justice (DOJ) for violation of the civil False Claims Act, various civil and criminal statutes, and removal from the CDC’s COVID-19 Vaccination Program. In the last few months alone, the DOJ has charged hundreds of individuals who have allegedly abused various COVID-19 relief programs, involving more than $569 million in alleged fraudulent claims.

Although the Statement largely served as a cautionary tale to entities that are inappropriately seeking payment from patients for administration of the Vaccine, HHS also reminded those distributing the Vaccine to seek reimbursement from various sources, including  HHS’ COVID-19 Coverage Assistance Fund (CAF), which is intended to compensate providers in instances where a patient has insurance that does not cover vaccines, or does cover vaccines, but includes patient cost-sharing. Services reimbursed by CAF include the costs of training individuals to administer the Vaccine, storing the Vaccines, and the staffing needs involved in administering doses.

Reed Smith continues to track guidance involving the distribution of the Vaccine, and will continue to provide updates moving forward.  Should you have any questions related to the distribution of the Vaccine, please do not hesitate to reach out to the health care attorneys at Reed Smith.

CMS again postpones the effective date of Medicare coverage pathway to access “breakthrough” medical technologies, regulatory standard for determining whether an item or service furnished under Medicare is “reasonable and necessary”

On May 14, 2021, the Centers for Medicare & Medicaid Services (CMS) released a new final rule that further delays until December 15, 2021, the effective date of the final rule titled “Medicare Program; Medicare Coverage of Innovative Technology (MCIT) and Definition of ‘Reasonable and Necessary’” (the January 2021 Rule), which was published in the final days of the Trump Administration.

As a reminder, the January 2021 Rule sought to:

  • Establish the MCIT pathway to provide beneficiaries nationwide with faster access to new, innovative medical devices designated as breakthrough devices by the Food and Drug Administration (FDA); and
  • Implement a codified regulatory standard that must be used in determining whether all items and services satisfy Medicare’s reasonable-and-necessary requirement.

Under the January 2021 Rule, the regulatory changes were originally scheduled to take effect on March 15, 2021. However, following a change in presidential administration, the January 2021 Rule became subject to a regulatory freeze.

On March 17, 2021, CMS published an interim final rule that delayed the effective date of the January 2021 Rule until May 15, 2021, and provided a new comment period to solicit additional feedback.

Now, with the considerable length of the most recent delay, CMS will have ample time to evaluate the planned regulatory changes and address any issues raised in stakeholders’ submitted comments. It is also possible that CMS may ultimately rescind the January 2021 Rule entirely.

For those looking to learn more about the January 2021 Rule, as currently written, below is a brief primer.

The MCIT Pathway

In 2016, Congress passed the 21st Century Cures Act, which codified a new pathway for the FDA to expedite the development, assessment, and review for market approval—and subsequent distribution to patients—of innovative medical devices and diagnostic tests via a special “breakthrough” designation. Notably, FDA specifically reserves such designation for those medical technologies that treat patient populations with debilitating conditions for which there are limited or no treatment alternatives. However, Congress did not expressly create a corresponding pathway for CMS to expedite coverage of such breakthrough technologies for Medicare beneficiaries. As a result, even after FDA approval or clearance, Medicare beneficiaries often wait years before being able to take advantage of breakthrough medical technologies and therapies.

The January 2021 Rule’s new MCIT pathway, which is voluntary for device manufacturers, would bridge the gap between FDA approval and Medicare coverage. That is, the regulation would provide Medicare beneficiaries with immediate national coverage for four years for any new medical device or diagnostic test designated as a “breakthrough” medical technology and deemed safe and effective by FDA, and then would require CMS and manufacturers to work together to identify and develop any additional data necessary to make a permanent coverage decision after the four-year coverage period expires. Specifically, at the end of the MCIT pathway, a breakthrough technology would either have a favorable National Coverage Determination (NCD), a non-coverage NCD, or coverage decided by a Medicare Administrative Contractor.

The “Reasonable and Necessary” Requirement

Section 1862(a)(1)(A) of the Social Security Act, 42 U.S.C. § 1395y(a)(1)(A), mandates that no payment may be made under Medicare Part A or Part B for any expenses incurred for items or services “not reasonable and necessary for the diagnosis or treatment of illness or injury or to improve the functioning of a malformed body member.” Despite the long-standing nature of this statutory requirement, to date CMS and its contractors have determined whether such items and services are “reasonable and necessary” on a case-by-case basis often subject to national and local coverage policies.

After several attempts in the past, the January 2021 Rule would represent the first time that CMS has codified a “reasonable and necessary” regulatory standard. For the most part, the January 2021 Rule would adopt preexisting criteria for “reasonable and necessary” outlined in the Medicare Program Integrity Manual. Specifically, an item or service would be deemed “reasonable and necessary”—and eligible for coverage—if such item or service is considered:

  1. Safe and effective;
  2. Not experimental or investigational; and
  3. Appropriate for Medicare patients, including the duration and frequency that is considered appropriate for the item or service.

Notably, the January 2021 Rule as currently written would include an alternative pathway to Medicare coverage: where there is insufficient evidence to satisfy the required appropriateness criteria, CMS would consider providing coverage to the extent the item or service is covered by a majority of commercial insurers.

What if I have additional questions?

Should you have any questions related to the postponement of the MCIT pathway or CMS’s Medicare-wide regulatory definition of “reasonable and necessary,” please do not hesitate to reach out to the health care attorneys at Reed Smith.

HHS to prohibit discrimination on the basis of sexual orientation and gender identity

On May 10, 2021, the Department of Health and Human Services (“HHS”) announced that— consistent with the Supreme Court’s decision in Bostock v. Clayton County, 140 S. Ct. 1731 (2020), and Title IX of the Education Amendments of 1972—HHS’s Office of Civil Rights (“OCR”) will interpret and enforce the prohibition on discrimination on the basis of sex under Section 1557 of the Patient Protection and Affordable Care Act to include: (1) discrimination on the basis of sexual orientation; and (2) discrimination on the basis of gender identity. OCR is responsible for enforcing Section 1557 and regulations issued thereunder, which prohibit discrimination on the basis of race, color, national origin, sex, age, or disability in covered health programs or activities. HHS stated that its interpretation will guide OCR in processing complaints and conducting investigations, but does not itself determine the outcome of any particular care or set of facts.

The announcement comes less than a year after the Supreme Court’s decision in Bostock, which held that Title VII of the Civil Rights Act of 1964’s prohibition on employment discrimination based on sex encompasses discrimination based on sexual orientation and gender identity. Bostock held that the plain meaning of “because of sex” in Title VII necessarily includes discrimination because of sexual orientation and gender identity.

As we previously reported, OCR’s implementation of the Section 1557 regulations and the impact of Bostock have been contested in federal courts across the country. But since Bostock, two federal circuits have concluded that the plain language of Title IX’s prohibition on sex discrimination must be read similarly. Moreover, on March 26, 2021, the Civil Rights Division of the Department of Justice issued a memorandum to Federal Agency Civil Rights Directors and General Counsel concluding that the Supreme Court’s reasoning in Bostock applies to Title IX.

As part of HHS’s recent announcement, Secretary of Health and Human Services Xavier Becerra stated: “The Supreme Court has made clear that people have a right not to be discriminated against on the basis of sex and receive equal treatment under the law, no matter their gender identity or sexual orientation. That’s why [on May 10] HHS announced it will act on related reports of discrimination[.]” The announcement observed that “discrimination in health care impacts health outcomes” and noted that “[r]esearch shows one quarter of LGBTQ people who faced discrimination postponed or avoided receiving needed medical care for fear of further discrimination.”

In enforcing Section 1557, OCR stated that it will comply with the Religious Freedom Restoration Act and all other legal requirements, as well as all applicable court orders that have been issued in litigation involving the Section 1557 regulations.

We will continue to monitor developments related to HHS’s announcement and their impact on covered entities.

LexBlog