Department of Health & Human Services Regulations

On June 29, 2022, the U.S. Department of Health & Human Services’ Office for Civil Rights (“OCR”) issued two pieces of guidance clarifying the applicability of the Health Insurance Portability and Accountability Act (“HIPAA”) related to privacy of information connected to an individual’s reproductive health. 

Through this guidance, HIPAA addresses both protected health information (“PHI”), which is subject to HIPAA’s rules, as well as general, personal information that is not directly protected by HIPAA.

Continue Reading New Guidance by OCR addresses HIPAA and Disclosures of Information relating to Reproductive Health

In November 2020, four months after the Trump Administration issued a series of Executive Orders reiterating its policy goals on reducing the costs to consumers for prescription drugs and directing the Department of Health and Human Services, Office of Inspector General (“HHS-OIG”) to implement those policy objectives, HHS-OIG issued a Final Rule to amend certain provisions in the safe harbor regulations under the Federal Anti-Kickback Statute (“AKS”). The Final Rule included three key provisions:

  1. Elimination of discount safe harbor protection for manufacturer rebates paid directly, or indirectly through a pharmacy benefit manager (“PBM”) to Medicare Part D or Medicare Advantage plans (the “Rebate Rule”);
  2. Creation of a new safe harbor to protect point-of-sale (“POS”) price reductions paid by manufacturers to Medicare Part D plans, Medicare Advantage plans, and Medicaid managed care organizations (“MCOs”); and
  3. Creation of a new safe harbor to protect fair-market-value (FMV) service fees paid to PBMs by manufacturers.

The Final Rule imposed a January 1, 2022, effective date for the Rebate Rule. However, in January 2021, two months after issuance of the Final Rule and in connection to a lawsuit brought by the Pharmaceutical Care Management Association challenging the Rebate Rule, the Biden Administration agreed to delay the Rebate Rule’s effective date to January 1, 2023, as reflected in an Order by the United States District Court for the District of Columbia.

In the intervening time though, Congress passed the Infrastructure Investment and Jobs Act (the “Infrastructure Act”). That law, signed by President Biden on November 15, 2021, further delayed implementation of the Rebate Rule to January 2026. Thus the rule, which many thought would be eliminated as part of paying for the cost of the infrastructure bill, was still alive, if only delayed until the middle of the next presidential term.

Continue Reading Future of discount safe harbor for prescription drugs remains uncertain

Effective January 1, 2022, common prohibitions against “balance billing” under hospital professional service contracts will likely become moot due to certain superseding federal prohibitions under the federal No Surprises Act enacted December 27, 2020.  As detailed below, certain hospital-based physicians, including radiologists, anesthesiologists, and pathologists, should keep these new federal billing prohibitions in mind when entering into new hospital professional services agreements (“PSAs”) and revisit their existing agreements to determine whether any changes are appropriate.

“No Surprises Act” Background.

The federal government’s growing focus on surprise medical bills reached a new high on July 1, 2021, when the Department of Health and Human Services (“HHS“), along with the Department of Labor and Department of the Treasury, released a consumer-focused interim final rule with comment period taking aim at surprise billing and excessive cost-sharing practices.  The rule, which also cites an ineffective “patchwork” of consumer protections under existing state laws, represents the first implementing regulation under the No Surprises Act.  Both the rule and the statute become effective on or after January 1, 2022.

Balance Billing Prohibition.

This article discusses two distinct but interwoven billing procedures that deserve clarification: “surprise billing” and “balance billing.”

Continue Reading No Surprises Act: Time to revisit balance billing prohibitions in hospital-based physician professional services agreements with hospitals?

Over the last decade, members of the medical and public health communities around the world have widely studied and acknowledged the impact of social determinants of health (SDOH)—the conditions in the environments where people live, learn, work, play, and age—on a wide range of health, functioning, and quality-of-life-risks and outcomes.[1]  In the past year

In 2010, the Affordable Care Act (ACA) directed the Secretary of Health and Human Services to issue regulations to establish an administrative dispute resolution (ADR) process for certain claims between Section 340B covered entities and pharmaceutical manufacturers (e.g., claims of overcharging by manufacturers and claims of covered entities taking duplicative discounts or diverting Section 340B

Even amidst the chaos of a global pandemic, this year multiple U.S. Department of Health and Human Services (HHS) agencies have dialed in on promoting and enforcing patients’ rights to access their health information.

In just the past month, HHS’ Office for Civil Rights (OCR), the agency that enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA), settled five costly investigations with HIPAA-regulated parties for potential violations of the HIPAA right of access provision.  Under HIPAA, individuals have a legal, enforceable right to view and obtain copies, upon request, of the information in their medical and other health records maintained by a HIPAA covered entity, typically a health care provider or health plan, with limited exception.  Individuals generally have a right to access this information for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created, whether the information is maintained in paper or electronic systems onsite, remotely, or is archived, or where the information originated (e.g., whether the covered entity, another provider, or the patient).
Continue Reading Patient access to health information at the forefront of government initiatives and scrutiny

Following more than a month of silence from the U.S. Department of Health and Human Services (HHS) on the publication of its widely anticipated companion interoperability and information blocking final rules to the Federal Register, HHS’s Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare & Medicaid Services (CMS), in conjunction with the Office of the Inspector General (OIG), issued a joint statement announcing a policy of enforcement discretion to allow compliance flexibilities regarding the implementation of the final rules in response to the COVID-19 public health emergency.  The agencies indicated that they would continue to monitor the developing public health emergency to determine if further action is necessary.

OIG Proposed Rule

OIG issued an unpublished proposed rule amending the civil monetary penalty (CMP) regulations to include new CMP authorities for violations of ONC’s information blocking final rule.  OIG is seeking comment on when information blocking enforcement should begin, but has proposed to delay enforcement until 60 days after publication of the OIG’s final rule.  At a minimum, enforcement would not begin sooner than the compliance date for the ONC final rule established in 45 CFR § 171.101(b), which is November 2, 2020.

CMS Final Rule

CMS announced that the agency is extending the implementation timeline by an additional six months for certain components of its interoperability rule, including, for example, the admission, discharge, and transfer notification Conditions of Participation (CoPs).  In the unpublished version of CMS’ final rule, the agency initially stated these CoPs would be effective six months after the publication of the final rule.  Now, they will be effective one year after the final rule is published in the Federal Register – a date that is still to be determined.  CMS will implement and enforce other policies contained in the final rule on schedule.

ONC Final Rule

Earlier this week, ONC reissued the unpublished version of its final rule, which is now set for publication on May 1, 2020, with an effective date of June 30, 2020.  While the publication date triggers multiple compliance dates for various components of the interoperability and information blocking provisions (set at 60 days, 6 months, and 24 months following publication), the agency is changing that timeline for certain requirements in light of the COVID-19 crisis.  ONC has published new enforcement discretion dates and timeframes on its website.  We have summarized some key changes to the ONC final rule compliance timeline below.

Continue Reading HHS Delays Compliance for Sweeping Interoperability and Information Blocking Rules

The U.S. Department of Health and Human Services (HHS) issued eagerly anticipated and hotly debated companion interoperability and information blocking final rules that are expected to transform the way in which certain health care providers, health information technology (IT) developers, and health plans share patient information.  The two rules, issued by the HHS Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS), implement interoperability and patient access provisions of the 21st Century Cures Act (Cures Act) and support the MyHealthEData initiative, designed to allow patients to access their health claims information electronically through the application of their choosing.

Major provisions of each final rule are highlighted below. Note that the final rules have not yet been formally submitted to the Federal Register, so some of the precise effective dates are still to be determined.

ONC Final Rule

For Providers, Health Information Networks or Exchanges, and Health IT Developers

  • Prohibition on Information Blocking. Effective six months following the publication of the final rule, health care providers, health IT developers of certified health IT, and health information exchanges and networks, are banned from “information blocking.”  Information blocking is defined in the rule as engaging in a practice that is likely to interfere with, prevent, or materially discourage access, exchange or use of electronic health information (EHI) and, if (a) conducted by a health IT developer or health information network or exchange, such developer, network or exchange knows, or should know or (b) if conducted by a health care provider, such provider knows – the practice is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI.
    • EHI means electronic protected health information (EPHI) as the term is defined for HIPAA, to the extent that it would be included in a designated record set, with certain exceptions, regardless of whether the group of records are used or maintained by or for a HIPAA covered entity. This EHI definition will be effective 24 months after the publication of the final rule.  In the interim, for purposes of information blocking, EHI is limited to the EHI identified by the data elements represented in the U.S. Core Data for Interoperability (USCDI) standard.
    • Health care providers include health care facilities, entities, practitioners, and clinicians listed in the Public Health Service Act. ONC did not expand the definition of health care provider in the Final Rule to cover all individuals and entities covered by HIPAA.  However, the final rule leaves this door open by giving the Secretary of HHS discretion to expand the definition of health care provider to any other category the Secretary deems appropriate by future rulemaking.
  • Examples of Information Blocking. According to ONC, information blocking practices could involve, among other things: formal restrictions in contract or licensing terms; limiting or restricting the interoperability of health IT through organizational policies or procedures or other EHI or health IT documentation; information restrictions, such as if an entity simply refuses to exchange or facilitate access to EHI as a general practice or in isolated cases; or use of certain technological measures that limit EHI exchange.
  • Information Blocking Exceptions. The final rule identifies eight activities as exceptions to information blocking.  According to ONC, the exceptions apply to certain activities that are likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI, but that would be reasonable and necessary if certain conditions are met.  Each exception falls into one of two categories: (i) exceptions that involve not fulfilling requests to access, exchange, or use EHI; and (ii) exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI.
  • Penalties for Information Blocking. Consistent with the Cures Act, ONC’s information blocking prohibition seeks to deter information blocking through penalties that differ based on the actor.  Health IT developers and health information networks and exchanges are subject to civil money penalties capped at $1 million per violation, while health care providers who violate the information blocking provisions may face unspecified disincentives for violations, to be determined by the appropriate HHS department or agency in subsequent rulemaking.


Continue Reading HHS Finalizes Healthcare Interoperability and Information Blocking Rules

The Departments of Health and Human Services (HHS) has just published its “annual” inflation update to civil monetary penalty amounts (CMP) in its regulations – even though those penalties were just increased for inflation in November 2019.  Under the latest update, CMPs are increased by a 1.01764 “multiplier” (that is, a 1.764% increase), applicable to

The Department of Health and Human Services (HHS) has released two proposed rules intended to increase the availability of organs for transplantation and improve the accountability of organ procurement organizations (OPOs), in conformance with President Trump’s Executive Order on Advancing American Kidney Health.

First, the Health Resources and Services Administration has proposed expanding the

As previously reported, the Department of Health and Human Services has published highly anticipated proposed changes to align the regulations under the Physician Self-Referral Law, the federal Anti-Kickback Statute, and the Civil Monetary Penalties Law with value-based health care arrangements.  Reed Smith is providing a series of client alerts and teleseminars that analyze key

The Department of Health and Human Services (HHS) has adopted its proposal to rescind the standard unique health plan identifier (HPID) and the “other entity identifier” (OEID), along with related implementation specifications and requirements for their use.  HHS adopted the HPID and OEID in a September 5, 2012 final rule in order to improve

Today, the Department of Health and Human Services (HHS) announced proposed changes to modernize the regulations that interpret the Physician Self-Referral Law (the Stark Law) and the Federal Anti-Kickback Statute. In a press release, HHS states these proposed rules are intended to “provide greater certainty for healthcare providers participating in value-based arrangements and providing coordinated care for patients . . . while maintaining strong safeguards to protect patients and programs from fraud and abuse.”

Over the last 30 years, HHS has issued a series of final regulations establishing exceptions and safe harbors that limit the reach of the Stark Law’s strict liability civil penalties and the Anti-Kickback Statute’s criminal penalties to protect from enforcement certain non-abusive and beneficial arrangements. These final regulations have not, however, reflected the significant shift in recent years in health care delivery and payment systems from a fee-for-service model to models based on improving value and quality of care provided to patients. As a result, many in the health care industry identify these laws, as well as the Civil Monetary Penalty (CMP) Law, as barriers to more effective care coordination and management that can deliver value-based care to improve quality of care, health outcomes, and efficiency. In response, on June 25, 2018, the Centers for Medicare & Medicaid Services (CMS) published a Request for Information seeking input on how it could address existing Stark Law barriers to these emerging value-based payment and delivery systems. Similarly, on August 27, 2018, the Office of Inspector General (OIG) published a Request for Information seeking feedback on how OIG could modify or add new safe harbors addressing these barriers. CMS and OIG received more than 350 comments each, which HHS has considered in publishing these proposed rules.

CMS and OIG Coordinated Proposals

The proposed rules, which span hundreds of pages, reflect close coordination between CMS and OIG, which tried to align the regulations, where appropriate, and the proposals are significant. More specifically, the coordinated proposals include:

  1. Three new exceptions and safe harbors for value-based payment arrangements
  2. Modifications to the existing electronic health record (EHR) exception and safe harbor
  3. The addition of a new exception and safe harbor related to the provision of cybersecurity technology and services


Continue Reading Proposed Rules to Modernize Stark Law and Anti-Kickback Statute Released Today

The Department of Health & Human Services (HHS) Substance Abuse and Mental Health Services Administration (SAMHSA) has proposed revisions to federal rules governing the confidentiality of patient records created by federally-assisted substance use disorder (SUD) treatment programs.  The proposed rule is intended to support coordinated care among providers that treat patients with SUDs, while maintaining

Today the U.S. Department of Health and Human Services (HHS) announced that it would extend until June 3, 2019 the comment periods for the Centers for Medicare & Medicaid Services (CMS) and Office of the National Coordinator for Health Information Technology (ONC) proposed interoperability and information blocking rules.  CMS also announced that as a result of public comments, it “will adjust the effective dates of our policies to allow for adequate implementation timelines as appropriate.”

In related developments, the ONC also released the second draft of the Trusted Exchange Framework and Common Agreement, along with a related Notice of Funding Opportunity.  In addition, HHS released a set of frequently asked questions (FAQs) from the Office for Civil Rights (OCR), addressing HIPAA’s right of access as related to apps designated by individual patients and application programming interfaces (APIs) used by a healthcare provider’s electronic health record (EHR) system.  The FAQs clarify, among other things, that once protected health information (PHI) has been shared by a HIPAA covered entity with a third-party app, as directed by the individual, the covered entity will not be liable under HIPAA for subsequent use or disclosure of electronic PHI, provided the app developer is not itself a business associate of a covered entity or other business associate. 
Continue Reading HHS Announces Extended Comment Period for Healthcare Interoperability Proposed Rules, Releases New HIPAA FAQs

The Centers for Medicare & Medicaid Service (CMS) has issued regulations to address revised statutory requirements related to manufacturer calculation of Medicaid drug rebates.  Specifically, CMS recently published an interim final rule with comment period that revises the regulatory text at 42 CFR § 447.509(a)(4) to reflect Bipartisan Budget Act (BBA) of 2018 language

The Centers for Medicare & Medicaid Services (CMS) and the Office of Inspector General (OIG) have finalized changes to State Medicaid Fraud Control Unit (MFCU) regulations to reflect statutory changes and policies adopted since the MFCU rules were first issued in 1978.  Among other things, the regulations incorporate statutory policies that:  authorize a federal matching

The Centers for Medicare & Medicaid Services (CMS) and the Centers for Disease Control and Prevention (CDC) have proposed updates to the Clinical Laboratory Improvement Amendments of 1988 (CLIA) proficiency testing (PT) regulations to address the evolution in laboratory testing technology since the CLIA PT regulations were initially established in 1992.  The proposed rule would,

The Department of Health and Human Services (HHS) has issued a proposed rule that would modify the current HIPAA transaction standard for retail pharmacy transactions (the August 2007 revision of NCPDP telecommunications standard D.0) with respect to claims and similar transactions for Schedule II drugs.  HHS states that the change would enable covered entities to

The Department of Health and Human Services (HHS) is proposing to rescind the standard unique health plan identifier (HPID) and the other entity identifier (OEID), along with related implementation specifications and requirements for their use.

HHS adopted the HPID and OEID in a September 5, 2012 final rule, but HHS announced a