Photo of Craig Anderson

On April 24, 2023, the OIG formally announced that it will be modernizing its existing Compliance Program Guidance (“CPG”).

The OIG has provided a CPG for various industry subsections since 1998.  Each CPG was developed in an effort to set forth voluntary compliance standards to be utilized in identifying and preventing fraud and abuse in federal health care programs.  In September 2021, the OIG published a request for information (“RFI”), wherein OIG requested insight on how providers use CPG and what improvements could be made to provide more relevant and accessible guidance.  

Providers and other industry representatives made recommendations including, but not limited to, creating industry-specific guidance, consolidating existing CPG, enabling user-friendly access to CPG, and ensuring ongoing updates to identify the OIG’s current positions on new and emerging risks in health care.Continue Reading OIG announces Modernization of Compliance Program Guidance

The Department of Health and Human Services recently issued a proposed rule that would streamline the federal regulations governing the confidentiality of substance use disorder (SUD) patient records at 42 CFR Part 2 (Part 2) with the Health Insurance Portability and Accountability Act and its implementing regulations (HIPAA). Comments on the proposed rule are due to HHS by January 31, 2023

For years, health care providers regulated by both Part 2 and HIPAA and their patients, have wrestled with the inconsistencies across these two privacy frameworks. Part 2, for example, currently imposes different patient consent requirements and disclosure restrictions on Part 2-protected SUD treatment records (Part 2 Records) than HIPAA, even though such records often constitute protected health information (PHI) as well. The inconsistencies (and in some cases, conflicts) between HIPAA and Part 2 requirements have created barriers to information sharing and confusion and compliance challenges for entities regulated under both frameworks, which in turn have unnecessarily impeded treatment access and care coordination.

As noted in the HHS fact sheet and the press release issued by the Substance Abuse and Mental Health Services Administration (SAMHSA), the proposed rule would, if finalized, enhance care coordination, afford patients a formal right of access to their SUD records, and extend HIPAA’s breach notification standards to Part 2-regulated providers and information. The proposed rule would also allow health care providers to align internal privacy compliance programs, the importance of which is underscored by another proposal to impose the same HIPAA civil and criminal penalties on regulated providers for noncompliance with Part 2 regulations. Continue Reading HHS proposes update to Part 2 confidentiality regulations to align with HIPAA

Under provisions of the 21st Century Cures Act (Cures Act), providers of Medicaid-funded personal care services (PCS) and home health care services (HHCS) will need to be fully compliant with their state’s electronic visit verification (EVV) systems by January 1, 2023

Congress passed the Cures Act on December 13, 2016. Among other things, in an effort to increase transparency and reduce fraud in connection with the delivery of health care services, this law mandated that states implement EVV systems for all Medicaid-funded (including under waiver programs) PCS by January 1, 2019, and HHCS by January 1, 2023, in each case where services include an in-home visit by a provider. Subsequent legislation extended the deadline for PCS to implement EVV requirements to January 1, 2020. However, the deadline for HHCS remains January 1, 2023, and is quickly approaching.

Providers of PCS and HHCS services should make sure that they are working towards implementing EVV systems in their own business operations in compliance with applicable state requirements, the majority of which also are requiring provider compliance by January 1, 2023Continue Reading Home Health Care Services Electronic Visit Verification System Implementation Required by January 1, 2023

On June 29, 2022, the U.S. Department of Health & Human Services’ Office for Civil Rights (“OCR”) issued two pieces of guidance clarifying the applicability of the Health Insurance Portability and Accountability Act (“HIPAA”) related to privacy of information connected to an individual’s reproductive health. 

Through this guidance, HIPAA addresses both protected health information (“PHI”), which is subject to HIPAA’s rules, as well as general, personal information that is not directly protected by HIPAA.Continue Reading New Guidance by OCR addresses HIPAA and Disclosures of Information relating to Reproductive Health

On June 11, 2021, the Department of Health and Human Services (“HHS”) announced that it had released revised reporting requirements for those providers and suppliers that have received Provider Relief Fund payments during the COVID-19 pandemic. Readers may recall that HHS previously issued notices on post-payment reporting requirements starting in July 2020, and that previous