Photo of Nancy Halstead

Nancy Halstead

Subscribe to Nancy Halstead's Posts
Follow:Read more about Nancy HalsteadNancy's Linkedin Profile

In a significant ruling among the first to analyze the application of information blocking regulations, the U.S. Court of Appeals for the Fourth Circuit affirmed a preliminary injunction against an EHR company in favor of a diagnostic analytics services company. The injunction grants the analytics company access to patient data, enabling the company to provide its analytics services to nursing facility customers who use the EHR vendor’s services.

The case, Real Time Medical Systems, Inc. v. PointClickCare Technologies, Inc., No. 24-1773 (4th Cir. 3/12/25), arises out of claims by Real Time Medical Systems, Inc. (“Real Time”) that PointClickCare Technologies, Inc. (“PCC”) implemented a technical protocol that cut-off Real Time’s appropriate access to its customers’ electronic health information (“EHI”) and that PCC did not implement this protocol for legitimate security or performance reasons as PCC claimed, but rather to interfere with Real Time’s business so that PCC could capture Real Time’s market share with its own competing analytics products.Continue Reading Information blocking victory in favor of access to health data

In an era where cyberattacks on the health care industry have become alarmingly frequent and catastrophic, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has taken a bold step forward. The recently issued Notice of Proposed Rulemaking (NPRM) is OCR’s direct response to the escalation of cyber threats and

The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) will start to enforce compliance later this month with new special protections for individuals’ reproductive health information as required by a recently finalized HIPAA Privacy Rule, as we noted in an earlier blog post. While the incoming Trump Administration may change

In the final 2025 Medicare Physician Fee Schedule, which is set to be published in the Federal Register on December 9, the Centers for Medicare and Medicaid Services (CMS) included substantive changes to the regulations governing when a provider must report and return a Medicare overpayment in order to avoid liability under the False Claims

In its recently released 2025 proposed Medicare Physician Fee Schedule (“MPFS”), the Centers for Medicare & Medicaid Services (“CMS”) proposed two important modifications to the Medicare 60-day overpayment refund rule—a new “identified overpayment” standard and codification of a 6-month timeframe to investigate and quantify an overpayment.

A product of the Affordable Care Act, the 60-day rule requires a person to report and return Part A and B overpayments within 60 days of identification. In 2016, CMS clarified that an overpayment is “identified” when a person, “through the exercise of reasonable diligence,” should have identified and quantified an overpayment. In the preamble to the 2016 rule, CMS established that “reasonable diligence” is demonstrated through a timely, good faith investigation, which is, at most, 6 months from the receipt of credible information of a potential overpayment.Continue Reading CMS Revisits Medicare Overpayment Standards in 2025 Physician Fee Schedule

The Centers for Medicare & Medicaid Services (“CMS”) and the Office of the National Coordinator for Health Information Technology (“ONC”) have released a final rule establishing “disincentives” (i.e., penalties) for health care providers that participate in certain Medicare payment programs who have engaged in information blocking, as determined by the HHS Office of Inspector General

In the two years since the Dobbs v. Jackson Women’s Health decision from the Supreme Court, state legislatures and courts have attempted to define the new post-Roe landscape in health care. That effort includes actions by states to enact health data privacy laws or to amend existing privacy laws to protect consumer health data

The Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) has published its first final rule on Health Data, Technology and Interoperability. The rule, known as the HTI-1 rule, takes effect on February 8, and governs updates to the ONC’s Health IT Certification Program, as well as regulations on information blocking.

Among the program criteria that the rule addresses include those related to decision support, electronic case reporting and standards-based application programming interfaces (APIs). To address the question of information blocking, the rule provides refined definitions of statutory terms and identifies practices that cannot constitute information blocking as they are considered by ONC to be “reasonable and necessary.”Continue Reading ONC Finalizes Information Sharing and Algorithm Transparency Rule

Three years after the Department of Health and Human Services’ (HHS) Office of the National Coordinator of Health Information Technology (ONC) issued a final rule that defined and clarified the scope of the information blocking provisions of the 21st Century Cures Act (the Information Blocking Rule), the HHS Office of Inspector General (OIG) has now published its own final rule implementing penalties for violations of the Information Blocking Rule by certain regulated actors (the OIG Final Rule). 

The OIG Final Rule (i) implements OIG’s authority to impose civil money penalties (CMP) related to violations of the Information Blocking Rule; (ii) explains OIG’s approach to enforcement of its information blocking CMP authority; and (iii) codifies the CMP amounts at 42 C.F.R. part 1003, conforming with the Civil Monetary Penalties Law as amended by the Bipartisan Budget Act of 2018.

The OIG Final Rule is effective August 2, 2023, however, enforcement of the information blocking penalties will begin on September 1, 2023. Importantly, OIG will not impose information blocking CMPs for conduct occurring prior to September 1, 2023.Continue Reading OIG Finalizes Information Blocking Penalties

On February 28, 2023, six of the seven Medicare Administrative Contractors (MACs), who administer Medicare reimbursement on behalf of the Centers for Medicare and Medicaid Services (CMS), came together for a multijurisdictional contractor advisory committee (CAC) meeting. The purpose of the CAC meeting was to discuss remote physiologic monitoring (RPM) and remote therapeutic monitoring (RTM) for non-implantable devices. Specifically, the MACs were looking to determine whether a local coverage determination (LCD) should be developed to guide those performing remote patient monitoring and utilizing these billing codes.  

The public was permitted to submit written comments and responses to a set of specific discussion questions through March 10, 2023. The questions covered a range of issues including the advantages of RPM/RTM in a clinical setting and the use of third-party vendors in the provision of RPM/RTM services.

Importantly, if any MAC decides to develop an LCD after the CAC, the LCD will be published both on the MAC’s webpage and on the Medicare Coverage Database. The LCD will then go through a public comment period and other administrative hurdles before it can be finalized as policy. To date, there have been no established Medicare coverage policies for remote monitoring services. Continue Reading MACs Consider Guidance on Remote Patient Monitoring Amid Exploding Utilization

[Note, this is Part 2 in an ongoing series of posts exploring substantive aspects of the Consolidated Appropriations Act, 2023 (P.L. 117-328) (referred to hereafter as 2023 CAA). Part 1, available here, covered changes in Medicare payment rates.]

Buried in the “Miscellaneous” chapter of Subtitle F (“Cross-Cutting Provisions”) of the Food and Drug Administration Title (Title III) of the 2023 CAA is Section 3630, a provision without a short title called “Facilitating exchange of product information prior to approval.”

This provision was originally proposed as the Pre-approval Information Exchange Act (or PIE Act) in March 2022 and was included in the House version of the Food and Drug Administration user fee legislation before being dropped from that legislation along with almost all other policy riders in a deal to get the FDA User Fee program approved before it expired.

But the same language was included in the 2023 CAA that was signed into law on Dec. 29, 2022. And again, while it was not directly entitled as such in the law, it is the PIE Act and that is how this post will refer to it. So, exactly what is the PIE Act and what does it do?  Before assuming there is “PIE” for everyone, read more for important content on the boundaries of this law, and remaining challenges for companies seeking to exchange information under this statutory authority.Continue Reading Health Provisions of the Consolidated Appropriations Act, 2023: Part 2 The PIE Act

The Department of Health and Human Services Office of Inspector General (HHS-OIG) recently published a Special Fraud Alert warning health care providers (e.g., prescribers, pharmacies, durable medical equipment providers, clinical laboratories) to steer clear of certain telemedicine arrangements and outlining seven “suspect” characteristics that may present heightened risk of fraud and abuse.

The alert coincides with a third round of criminal “telemedicine takedowns” announced by the Department of Justice (DOJ)  in the last several years, reflecting DOJ’s continued focus on identifying and dismantling fraudulent arrangements that exploit telemedicine technologies and related regulatory flexibilities in the wake of the COVID-19 pandemic.

Telemedicine technologies have created a multitude of opportunities for growth and innovation within the health care industry and are well-positioned to become an ongoing cornerstone of our health care delivery system. However, given the increased level of regulatory scrutiny of telemedicine arrangements, providers and telehealth technology companies, including drug and device manufacturers that offer telemedicine technologies (e.g., platforms, mobile applications) for prescribers and patients that facilitate virtual care,  should carefully plan and closely evaluate existing arrangements to ensure compliance with applicable state and federal laws and avoid implication amongst the recent uptick in enforcement.Continue Reading Telehealth Under Scrutiny: OIG Special Fraud Alert and DOJ Enforcement Highlights Suspect Characteristics Associated with High-Risk Telemedicine Arrangements

The U.S. Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) released earlier this year the Trusted Exchange Framework and Common Agreement (TEFCA), which is intended to improve electronic interoperability among health information networks (HINs) and facilitate the exchange of health information among connected organizations. 

Importantly, TEFCA is not just about HINs.  Under TEFCA, any organization that connects to a HIN designated as a Qualified HIN (QHIN) may be able to meet many interoperability and information sharing obligations without implementing technology integrations on a request-by-request basis.  ONC believes that TEFCA will “reduce the need for duplicative network connectivity interfaces, which are costly, complex to create and maintain, and an inefficient use of provider and health IT developer resources.” ONC stated that connected organizations “will be able to share information with all other connected entities regardless of which QHIN they choose.” 

However, participation in TEFCA comes with a price.  Organizations that connect to QHINs, either directly or indirectly, will likely need to agree to new contractual requirements that flow-down from QHINs.Continue Reading ONC’s Trusted Exchange Framework and Common Agreement (TEFCA): Impacts on Health Information Networks and Health Care Organizations

The Department of Health and Human Services’ Office of Inspector General (“OIG”) recently issued a favorable advisory opinion to a digital health company that offers direct monetary incentives to patients as part of a technology-enabled contingency management program for patients with substance use disorders.

Contingency management, also known as motivational incentives, is a treatment approach that utilizes tangible rewards to reinforce positive behaviors (e.g., abstinence from opioids) and to motivate and sustain behavioral health efforts (e.g., treatment adherence) in patients who suffer from substance use disorders. Because these monetary incentives are an integral part of the protocol-driven and evidenced-based program, the OIG concluded that it would not impose sanctions under the federal Anti-Kickback Statute (“AKS”) or the Beneficiary Inducements Civil Monetary Penalty (“CMP”) provision, notwithstanding the involvement of federal health care program beneficiaries, providers/suppliers, and reimbursable services.

Nevertheless, the mitigating facts that motivated the OIG’s favorable treatment of the program here—namely, the clinical nature and independence of the program—could likely trigger compliance with other federal and state regulatory frameworks.
Continue Reading OIG blesses digital health substance use disorder treatment program paid for by providers and suppliers

Over the last decade, members of the medical and public health communities around the world have widely studied and acknowledged the impact of social determinants of health (SDOH)—the conditions in the environments where people live, learn, work, play, and age—on a wide range of health, functioning, and quality-of-life-risks and outcomes.[1]  In the past year

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), the agency that enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA), is the latest federal agency to jump on the HHS rulemaking bandwagon issuing a Notice of Proposed Rulemaking (NPRM) on December 10, 2020, that proposes pivotal changes

Just two business days before the first of many critical components of the new 21st Century Cures Act Interoperability, Information Blocking, and ONC Health IT Certification Program Final Rule (the “Final Rule”) were set to take effect, the U.S. Department of Health and Human Services (HHS) Office of the National Coordinator for Health IT (ONC)

Even amidst the chaos of a global pandemic, this year multiple U.S. Department of Health and Human Services (HHS) agencies have dialed in on promoting and enforcing patients’ rights to access their health information.

In just the past month, HHS’ Office for Civil Rights (OCR), the agency that enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA), settled five costly investigations with HIPAA-regulated parties for potential violations of the HIPAA right of access provision.  Under HIPAA, individuals have a legal, enforceable right to view and obtain copies, upon request, of the information in their medical and other health records maintained by a HIPAA covered entity, typically a health care provider or health plan, with limited exception.  Individuals generally have a right to access this information for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created, whether the information is maintained in paper or electronic systems onsite, remotely, or is archived, or where the information originated (e.g., whether the covered entity, another provider, or the patient).
Continue Reading Patient access to health information at the forefront of government initiatives and scrutiny

Following more than a month of silence from the U.S. Department of Health and Human Services (HHS) on the publication of its widely anticipated companion interoperability and information blocking final rules to the Federal Register, HHS’s Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare & Medicaid Services (CMS), in conjunction with the Office of the Inspector General (OIG), issued a joint statement announcing a policy of enforcement discretion to allow compliance flexibilities regarding the implementation of the final rules in response to the COVID-19 public health emergency.  The agencies indicated that they would continue to monitor the developing public health emergency to determine if further action is necessary.

OIG Proposed Rule

OIG issued an unpublished proposed rule amending the civil monetary penalty (CMP) regulations to include new CMP authorities for violations of ONC’s information blocking final rule.  OIG is seeking comment on when information blocking enforcement should begin, but has proposed to delay enforcement until 60 days after publication of the OIG’s final rule.  At a minimum, enforcement would not begin sooner than the compliance date for the ONC final rule established in 45 CFR § 171.101(b), which is November 2, 2020.

CMS Final Rule

CMS announced that the agency is extending the implementation timeline by an additional six months for certain components of its interoperability rule, including, for example, the admission, discharge, and transfer notification Conditions of Participation (CoPs).  In the unpublished version of CMS’ final rule, the agency initially stated these CoPs would be effective six months after the publication of the final rule.  Now, they will be effective one year after the final rule is published in the Federal Register – a date that is still to be determined.  CMS will implement and enforce other policies contained in the final rule on schedule.

ONC Final Rule

Earlier this week, ONC reissued the unpublished version of its final rule, which is now set for publication on May 1, 2020, with an effective date of June 30, 2020.  While the publication date triggers multiple compliance dates for various components of the interoperability and information blocking provisions (set at 60 days, 6 months, and 24 months following publication), the agency is changing that timeline for certain requirements in light of the COVID-19 crisis.  ONC has published new enforcement discretion dates and timeframes on its website.  We have summarized some key changes to the ONC final rule compliance timeline below.Continue Reading HHS Delays Compliance for Sweeping Interoperability and Information Blocking Rules

The U.S. Department of Health and Human Services (HHS) issued eagerly anticipated and hotly debated companion interoperability and information blocking final rules that are expected to transform the way in which certain health care providers, health information technology (IT) developers, and health plans share patient information.  The two rules, issued by the HHS Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS), implement interoperability and patient access provisions of the 21st Century Cures Act (Cures Act) and support the MyHealthEData initiative, designed to allow patients to access their health claims information electronically through the application of their choosing.

Major provisions of each final rule are highlighted below. Note that the final rules have not yet been formally submitted to the Federal Register, so some of the precise effective dates are still to be determined.

ONC Final Rule

For Providers, Health Information Networks or Exchanges, and Health IT Developers

  • Prohibition on Information Blocking. Effective six months following the publication of the final rule, health care providers, health IT developers of certified health IT, and health information exchanges and networks, are banned from “information blocking.”  Information blocking is defined in the rule as engaging in a practice that is likely to interfere with, prevent, or materially discourage access, exchange or use of electronic health information (EHI) and, if (a) conducted by a health IT developer or health information network or exchange, such developer, network or exchange knows, or should know or (b) if conducted by a health care provider, such provider knows – the practice is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI.
    • EHI means electronic protected health information (EPHI) as the term is defined for HIPAA, to the extent that it would be included in a designated record set, with certain exceptions, regardless of whether the group of records are used or maintained by or for a HIPAA covered entity. This EHI definition will be effective 24 months after the publication of the final rule.  In the interim, for purposes of information blocking, EHI is limited to the EHI identified by the data elements represented in the U.S. Core Data for Interoperability (USCDI) standard.
    • Health care providers include health care facilities, entities, practitioners, and clinicians listed in the Public Health Service Act. ONC did not expand the definition of health care provider in the Final Rule to cover all individuals and entities covered by HIPAA.  However, the final rule leaves this door open by giving the Secretary of HHS discretion to expand the definition of health care provider to any other category the Secretary deems appropriate by future rulemaking.
  • Examples of Information Blocking. According to ONC, information blocking practices could involve, among other things: formal restrictions in contract or licensing terms; limiting or restricting the interoperability of health IT through organizational policies or procedures or other EHI or health IT documentation; information restrictions, such as if an entity simply refuses to exchange or facilitate access to EHI as a general practice or in isolated cases; or use of certain technological measures that limit EHI exchange.
  • Information Blocking Exceptions. The final rule identifies eight activities as exceptions to information blocking.  According to ONC, the exceptions apply to certain activities that are likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI, but that would be reasonable and necessary if certain conditions are met.  Each exception falls into one of two categories: (i) exceptions that involve not fulfilling requests to access, exchange, or use EHI; and (ii) exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI.
  • Penalties for Information Blocking. Consistent with the Cures Act, ONC’s information blocking prohibition seeks to deter information blocking through penalties that differ based on the actor.  Health IT developers and health information networks and exchanges are subject to civil money penalties capped at $1 million per violation, while health care providers who violate the information blocking provisions may face unspecified disincentives for violations, to be determined by the appropriate HHS department or agency in subsequent rulemaking.

Continue Reading HHS Finalizes Healthcare Interoperability and Information Blocking Rules