Photo of Nancy Halstead

The U.S. Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) released earlier this year the Trusted Exchange Framework and Common Agreement (TEFCA), which is intended to improve electronic interoperability among health information networks (HINs) and facilitate the exchange of health information among connected organizations. 

Importantly, TEFCA is not just about HINs.  Under TEFCA, any organization that connects to a HIN designated as a Qualified HIN (QHIN) may be able to meet many interoperability and information sharing obligations without implementing technology integrations on a request-by-request basis.  ONC believes that TEFCA will “reduce the need for duplicative network connectivity interfaces, which are costly, complex to create and maintain, and an inefficient use of provider and health IT developer resources.” ONC stated that connected organizations “will be able to share information with all other connected entities regardless of which QHIN they choose.” 

However, participation in TEFCA comes with a price.  Organizations that connect to QHINs, either directly or indirectly, will likely need to agree to new contractual requirements that flow-down from QHINs.

Continue Reading ONC’s Trusted Exchange Framework and Common Agreement (TEFCA): Impacts on Health Information Networks and Health Care Organizations

The Department of Health and Human Services’ Office of Inspector General (“OIG”) recently issued a favorable advisory opinion to a digital health company that offers direct monetary incentives to patients as part of a technology-enabled contingency management program for patients with substance use disorders.

Contingency management, also known as motivational incentives, is a treatment approach that utilizes tangible rewards to reinforce positive behaviors (e.g., abstinence from opioids) and to motivate and sustain behavioral health efforts (e.g., treatment adherence) in patients who suffer from substance use disorders. Because these monetary incentives are an integral part of the protocol-driven and evidenced-based program, the OIG concluded that it would not impose sanctions under the federal Anti-Kickback Statute (“AKS”) or the Beneficiary Inducements Civil Monetary Penalty (“CMP”) provision, notwithstanding the involvement of federal health care program beneficiaries, providers/suppliers, and reimbursable services.

Nevertheless, the mitigating facts that motivated the OIG’s favorable treatment of the program here—namely, the clinical nature and independence of the program—could likely trigger compliance with other federal and state regulatory frameworks.
Continue Reading OIG blesses digital health substance use disorder treatment program paid for by providers and suppliers

Over the last decade, members of the medical and public health communities around the world have widely studied and acknowledged the impact of social determinants of health (SDOH)—the conditions in the environments where people live, learn, work, play, and age—on a wide range of health, functioning, and quality-of-life-risks and outcomes.[1]  In the past year

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), the agency that enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA), is the latest federal agency to jump on the HHS rulemaking bandwagon issuing a Notice of Proposed Rulemaking (NPRM) on December 10, 2020, that proposes pivotal changes

Just two business days before the first of many critical components of the new 21st Century Cures Act Interoperability, Information Blocking, and ONC Health IT Certification Program Final Rule (the “Final Rule”) were set to take effect, the U.S. Department of Health and Human Services (HHS) Office of the National Coordinator for Health IT (ONC)

Even amidst the chaos of a global pandemic, this year multiple U.S. Department of Health and Human Services (HHS) agencies have dialed in on promoting and enforcing patients’ rights to access their health information.

In just the past month, HHS’ Office for Civil Rights (OCR), the agency that enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA), settled five costly investigations with HIPAA-regulated parties for potential violations of the HIPAA right of access provision.  Under HIPAA, individuals have a legal, enforceable right to view and obtain copies, upon request, of the information in their medical and other health records maintained by a HIPAA covered entity, typically a health care provider or health plan, with limited exception.  Individuals generally have a right to access this information for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created, whether the information is maintained in paper or electronic systems onsite, remotely, or is archived, or where the information originated (e.g., whether the covered entity, another provider, or the patient).
Continue Reading Patient access to health information at the forefront of government initiatives and scrutiny

Following more than a month of silence from the U.S. Department of Health and Human Services (HHS) on the publication of its widely anticipated companion interoperability and information blocking final rules to the Federal Register, HHS’s Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare & Medicaid Services (CMS), in conjunction with the Office of the Inspector General (OIG), issued a joint statement announcing a policy of enforcement discretion to allow compliance flexibilities regarding the implementation of the final rules in response to the COVID-19 public health emergency.  The agencies indicated that they would continue to monitor the developing public health emergency to determine if further action is necessary.

OIG Proposed Rule

OIG issued an unpublished proposed rule amending the civil monetary penalty (CMP) regulations to include new CMP authorities for violations of ONC’s information blocking final rule.  OIG is seeking comment on when information blocking enforcement should begin, but has proposed to delay enforcement until 60 days after publication of the OIG’s final rule.  At a minimum, enforcement would not begin sooner than the compliance date for the ONC final rule established in 45 CFR § 171.101(b), which is November 2, 2020.

CMS Final Rule

CMS announced that the agency is extending the implementation timeline by an additional six months for certain components of its interoperability rule, including, for example, the admission, discharge, and transfer notification Conditions of Participation (CoPs).  In the unpublished version of CMS’ final rule, the agency initially stated these CoPs would be effective six months after the publication of the final rule.  Now, they will be effective one year after the final rule is published in the Federal Register – a date that is still to be determined.  CMS will implement and enforce other policies contained in the final rule on schedule.

ONC Final Rule

Earlier this week, ONC reissued the unpublished version of its final rule, which is now set for publication on May 1, 2020, with an effective date of June 30, 2020.  While the publication date triggers multiple compliance dates for various components of the interoperability and information blocking provisions (set at 60 days, 6 months, and 24 months following publication), the agency is changing that timeline for certain requirements in light of the COVID-19 crisis.  ONC has published new enforcement discretion dates and timeframes on its website.  We have summarized some key changes to the ONC final rule compliance timeline below.

Continue Reading HHS Delays Compliance for Sweeping Interoperability and Information Blocking Rules

The U.S. Department of Health and Human Services (HHS) issued eagerly anticipated and hotly debated companion interoperability and information blocking final rules that are expected to transform the way in which certain health care providers, health information technology (IT) developers, and health plans share patient information.  The two rules, issued by the HHS Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS), implement interoperability and patient access provisions of the 21st Century Cures Act (Cures Act) and support the MyHealthEData initiative, designed to allow patients to access their health claims information electronically through the application of their choosing.

Major provisions of each final rule are highlighted below. Note that the final rules have not yet been formally submitted to the Federal Register, so some of the precise effective dates are still to be determined.

ONC Final Rule

For Providers, Health Information Networks or Exchanges, and Health IT Developers

  • Prohibition on Information Blocking. Effective six months following the publication of the final rule, health care providers, health IT developers of certified health IT, and health information exchanges and networks, are banned from “information blocking.”  Information blocking is defined in the rule as engaging in a practice that is likely to interfere with, prevent, or materially discourage access, exchange or use of electronic health information (EHI) and, if (a) conducted by a health IT developer or health information network or exchange, such developer, network or exchange knows, or should know or (b) if conducted by a health care provider, such provider knows – the practice is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI.
    • EHI means electronic protected health information (EPHI) as the term is defined for HIPAA, to the extent that it would be included in a designated record set, with certain exceptions, regardless of whether the group of records are used or maintained by or for a HIPAA covered entity. This EHI definition will be effective 24 months after the publication of the final rule.  In the interim, for purposes of information blocking, EHI is limited to the EHI identified by the data elements represented in the U.S. Core Data for Interoperability (USCDI) standard.
    • Health care providers include health care facilities, entities, practitioners, and clinicians listed in the Public Health Service Act. ONC did not expand the definition of health care provider in the Final Rule to cover all individuals and entities covered by HIPAA.  However, the final rule leaves this door open by giving the Secretary of HHS discretion to expand the definition of health care provider to any other category the Secretary deems appropriate by future rulemaking.
  • Examples of Information Blocking. According to ONC, information blocking practices could involve, among other things: formal restrictions in contract or licensing terms; limiting or restricting the interoperability of health IT through organizational policies or procedures or other EHI or health IT documentation; information restrictions, such as if an entity simply refuses to exchange or facilitate access to EHI as a general practice or in isolated cases; or use of certain technological measures that limit EHI exchange.
  • Information Blocking Exceptions. The final rule identifies eight activities as exceptions to information blocking.  According to ONC, the exceptions apply to certain activities that are likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI, but that would be reasonable and necessary if certain conditions are met.  Each exception falls into one of two categories: (i) exceptions that involve not fulfilling requests to access, exchange, or use EHI; and (ii) exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI.
  • Penalties for Information Blocking. Consistent with the Cures Act, ONC’s information blocking prohibition seeks to deter information blocking through penalties that differ based on the actor.  Health IT developers and health information networks and exchanges are subject to civil money penalties capped at $1 million per violation, while health care providers who violate the information blocking provisions may face unspecified disincentives for violations, to be determined by the appropriate HHS department or agency in subsequent rulemaking.


Continue Reading HHS Finalizes Healthcare Interoperability and Information Blocking Rules

The U.S. Department of Health and Human Services (HHS) started the new decade by keeping up its momentum to encourage patient engagement and support the secure expansion of digital health by releasing proposed rules and policy initiatives. On January 15, 2020, the HHS Office for the National Coordinator for Health Informational Technology (ONC) released a draft of its 2020-2025 Federal Health IT Strategic Plan (Plan). The outcomes-driven Plan, which ONC collaboratively developed with 25 federal organizations, aims to promote a health IT economy that balances increased transparency, competition, and consumer choice with privacy and security of patient health information. The Plan reflects HHS’ ongoing efforts to create pathways for patients to actively engage in their health outcomes and navigate personalized care alternatives.

The Plan is intended to serve as a five-year roadmap for federal health IT initiatives and activities, and to function as a catalyst for streamlined activities in the private sector. In particular, the Plan highlights four key goals with supporting objectives, all focused on meeting the needs of patients, caregivers, health care providers, payers, researchers, developers, and innovators by increasing access to health information, emphasizing product and pricing transparency, and encouraging interoperability.
Continue Reading HHS Sustains Digital Health Momentum and Continues Publishing Policy Initiatives to Kick-off 2020

Today, the Department of Health and Human Services (HHS) announced proposed changes to modernize the regulations that interpret the Physician Self-Referral Law (the Stark Law) and the Federal Anti-Kickback Statute. In a press release, HHS states these proposed rules are intended to “provide greater certainty for healthcare providers participating in value-based arrangements and providing coordinated care for patients . . . while maintaining strong safeguards to protect patients and programs from fraud and abuse.”

Over the last 30 years, HHS has issued a series of final regulations establishing exceptions and safe harbors that limit the reach of the Stark Law’s strict liability civil penalties and the Anti-Kickback Statute’s criminal penalties to protect from enforcement certain non-abusive and beneficial arrangements. These final regulations have not, however, reflected the significant shift in recent years in health care delivery and payment systems from a fee-for-service model to models based on improving value and quality of care provided to patients. As a result, many in the health care industry identify these laws, as well as the Civil Monetary Penalty (CMP) Law, as barriers to more effective care coordination and management that can deliver value-based care to improve quality of care, health outcomes, and efficiency. In response, on June 25, 2018, the Centers for Medicare & Medicaid Services (CMS) published a Request for Information seeking input on how it could address existing Stark Law barriers to these emerging value-based payment and delivery systems. Similarly, on August 27, 2018, the Office of Inspector General (OIG) published a Request for Information seeking feedback on how OIG could modify or add new safe harbors addressing these barriers. CMS and OIG received more than 350 comments each, which HHS has considered in publishing these proposed rules.

CMS and OIG Coordinated Proposals

The proposed rules, which span hundreds of pages, reflect close coordination between CMS and OIG, which tried to align the regulations, where appropriate, and the proposals are significant. More specifically, the coordinated proposals include:

  1. Three new exceptions and safe harbors for value-based payment arrangements
  2. Modifications to the existing electronic health record (EHR) exception and safe harbor
  3. The addition of a new exception and safe harbor related to the provision of cybersecurity technology and services


Continue Reading Proposed Rules to Modernize Stark Law and Anti-Kickback Statute Released Today

A recent False Claims Act (“FCA”) settlement involving an allegedly overpaid Florida medical practice reaffirms the interplay between the 60-Day Overpayment Statute and the FCA, but also highlights the importance for all providers and suppliers to report and return overpayments, regardless of the source of federal funds.

According to the Department of Justice (“DOJ”), First Coast Cardiovascular Institute (“FCCI”) allowed credit balances from various federal health care programs to accrue despite multiple internal warnings that the balances should be paid back. DOJ alleged that FCCI’s failure to return those credit balances within 60 days violated the FCA. DOJ’s comments are notable, however, because the credit balances not only involved Medicare and Medicaid, but also TRICARE and the Department of Veterans Affairs, both of which are outside the scope of the 60-Day Overpayment Statute. DOJ and FCCI resolved the alleged $175,000 in unreturned overpayments for a $448,821.58 price.
Continue Reading DOJ Settles Second 60-Day Overpayment Case, Highlights Broader Reach of the FCA’s Reverse False Claims Provision

In a clear turnabout from its previous position, the Centers for Medicare & Medicaid Services (CMS) issued a proposed rule on June 5, 2017 that would lift the agency’s ban on pre-dispute arbitration agreements in the long term care (LTC) setting. By contrast, less than nine months earlier, CMS prohibited LTC facilities from entering into pre-dispute arbitration agreements with residents, conditioning admission to a facility on the execution of such agreements, or making a resident’s continuing right to remain at a facility contingent upon a post-dispute arbitration agreement.

The industry’s response to the ban was swift and resolute—on October 17, 2016, the American Health Care Association and a group of nursing homes filed a lawsuit in federal court seeking a preliminary and permanent injunction to prevent CMS from enforcing the ban on pre-dispute arbitration agreements. The U.S. District Court for the District of Mississippi granted the request for preliminary injunction on November 7, 2016, stalling enforcement of the final rule’s arbitration provisions.
Continue Reading CMS Reverses Course in Pre-Dispute Arbitration Agreement Ban

CMS has issued its proposed rule to update Medicare skilled nursing facility (SNF) prospective payment system (PPS) rates and policies for FY 2018, while at the same time soliciting comments regarding a forthcoming and potentially ground-breaking proposed rule to replace the SNF PPS RUG-IV case-mix classification methodology, which forms the basis for SNF payment, with the Resident Classification System, Version I (RCS-I), as early as FY 2019.

For nearly ten years, CMS, the Office of Inspector General, and the Medicare Payment Advisory Commission have raised concerns that the current SNF payment system encourages providers to deliver therapy to residents based on financial goals and not patient need.  The RCS-I case-mix model, which was developed during the SNF Payment Models Research initiative, attempts to address those concerns by removing service-based metrics from the SNF PPS and deriving payment, almost exclusively, from objective resident characteristics.  Most notably, the proposed RCS-I case-mix model would:
Continue Reading CMS Simultaneously Releases Proposed Rule to Update SNF PPS for FY 2018 & Advance Notice of Proposed Rulemaking (ANPRM) to Replace RUG-IV Case-Mix Methodology as Early as FY 2019

The Centers for Medicare & Medicaid Services (“CMS”) published the long-awaited final rule February 12, 2016, clarifying the specific procedures applicable to the statutory requirement under the Affordable Care Act (“ACA”) for providers and suppliers to report and return overpayments within 60 days. While the final rule eased some of the law’s more unforgiving aspects, its limited scope brought up new questions about the breadth of the law itself.

Despite concerns raised by a number of commenters in response to the proposed rule, CMS limited the scope of the final rule to Medicare Parts A and B only. In other words, the final rule clarifies the obligations of Medicare providers and suppliers to report and return overpayments originating under Medicare Parts A and B. Commenters expressed concern about this limitation and the lack of rationale for distinguishing Medicare Parts A and B from Medicare Parts C and D; they also voiced the need shared by all providers and suppliers for guidance on the overpayment requirements. In response, CMS reasoned that differences in how the Medicare programs are administered necessitated separate rulemakings. Interestingly, the agency did not indicate whether a separate rulemaking would be forthcoming, but instead directed providers and suppliers to their existing statutory obligations under the ACA, and a prior rulemaking applicable to reporting and returning overpayments in the Medicare Parts C and D context, for further guidance. In its response, CMS appears to assume, without stating expressly, that the law and the agency’s prior rulemaking apply to providers and suppliers receiving payments under Parts C and D.


Continue Reading So You’re an Overpaid Medicare Part C/D Provider or Supplier: Can You Keep the Change?

Immediately following Sunday’s tragic shooting at a nightclub in Orlando, friends and family frantically gathered at Orlando Regional Medical Center, attempting to get information about their loved ones.  However, hospital officials hesitated to provide specific updates.  Why?  Because the Health Insurance Portability and Accountability Act (HIPAA) and implementing regulations restrict the patient-identifiable health information that “covered entities,” like Orlando Regional Medical Center, are permitted to disclose without proper patient authorization or consent.

Shortly following the massacre, Orlando local news outlets reported that after Orlando Regional’s CEO expressed concern regarding families requesting detailed patient health information at the hospital’s emergency room, Orlando Mayor Buddy Dyer contacted the White House and requested a waiver of the HIPAA regulations.  While the HIPAA Privacy Rule is not automatically suspended during a national or public health emergency, the Secretary of the Department of Health and Human Services (HHS) may waive certain provisions of HIPAA under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.  In order to take advantage of the waiver, the President must declare an emergency or disaster and the Secretary of HHS must declare a public health emergency.

Continue Reading Reexamining HIPAA’s Applicability During Emergencies After the Tragedy in Orlando

The Centers for Medicare & Medicaid Services (“CMS”) released today the long awaited final rule clarifying the statutory requirement under the Affordable Care Act for providers and suppliers to report and return Medicare overpayments within 60 days (the “Overpayment Final Rule”).  The Rule only applies to Medicare Part A and Part B providers and suppliers and will be effective 30 days after publication, which will occur tomorrow. Noteworthy provisions of the Overpayment Final Rule include:
Continue Reading CMS Eases 60-Day Overpayment Requirement in Final Rule While Raising New Questions

On June 9, 2015, the Office of the Inspector General of the Department of Health and Human Services (OIG) released a fraud alert warning physicians to scrutinize carefully the conditions and terms of any medical director or other compensation arrangement they enter into with potential recipients of Federal health care program business. The risks associated with these arrangements under the anti-kickback statute are not new. However, the fraud alert signals  the OIG’s current focus on physicians, which reportedly has also included hiring additional attorneys to handle investigative and enforcement activity involving physicians. Moreover, the government now has access to unprecedented amounts of data regarding financial arrangements between physicians and drug and device manufacturers.

The fraud alert follows on the heels of a dozen recent settlements between the OIG and individual physicians who allegedly received kickbacks disguised as medical directorships and other office staff arrangements. In those settlements, the OIG determined the physicians played an integral role in the schemes and specifically alleged that the agreements:

Continue Reading An Apple a Day Keeps the OIG Away: Practical Guidelines for Structuring Physician Compensation Arrangements to Avoid Kickback Allegations

As part of the final 2015 Medicare physician fee schedule rule, CMS is adopting – with certain refinements – its proposed changes to the regulations implementing the Physician Payment Sunshine Act. By way of background, the Sunshine Act requires pharmaceutical and medical device manufacturers and group purchasing organizations to submit to CMS certain

Today the Centers for Medicare & Medicaid Services (CMS) issued an advance copy of the CY 2015 Medicare Physician Fee Schedule (PFS) proposed rule, which includes certain changes to the regulations implementing the Physician Payment Sunshine Act, also known as the Open Payments program. These proposed changes come just three days after the inaugural

The Centers for Medicare & Medicaid Services (CMS) has published the long-awaited Final Rule to implement the “Sunshine” provisions of the Affordable Care Act of 2010 (ACA).  The Sunshine provisions – intended to provide increased transparency regarding the scope and nature of financial and other relationships among manufacturers, physicians, and teaching hospitals – require that