Photo of Vicki Tankle

Vicki Tankle

Subscribe to Vicki Tankle's Posts
Contact: Read more about Vicki Tankle

The Department of Health and Human Services recently issued a proposed rule that would streamline the federal regulations governing the confidentiality of substance use disorder (SUD) patient records at 42 CFR Part 2 (Part 2) with the Health Insurance Portability and Accountability Act and its implementing regulations (HIPAA). Comments on the proposed rule are due to HHS by January 31, 2023

For years, health care providers regulated by both Part 2 and HIPAA and their patients, have wrestled with the inconsistencies across these two privacy frameworks. Part 2, for example, currently imposes different patient consent requirements and disclosure restrictions on Part 2-protected SUD treatment records (Part 2 Records) than HIPAA, even though such records often constitute protected health information (PHI) as well. The inconsistencies (and in some cases, conflicts) between HIPAA and Part 2 requirements have created barriers to information sharing and confusion and compliance challenges for entities regulated under both frameworks, which in turn have unnecessarily impeded treatment access and care coordination.

As noted in the HHS fact sheet and the press release issued by the Substance Abuse and Mental Health Services Administration (SAMHSA), the proposed rule would, if finalized, enhance care coordination, afford patients a formal right of access to their SUD records, and extend HIPAA’s breach notification standards to Part 2-regulated providers and information. The proposed rule would also allow health care providers to align internal privacy compliance programs, the importance of which is underscored by another proposal to impose the same HIPAA civil and criminal penalties on regulated providers for noncompliance with Part 2 regulations.

Continue Reading HHS proposes update to Part 2 confidentiality regulations to align with HIPAA

The Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) recently issued a bulletin highlighting the application of Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to covered entities and business associates (“Regulated Entities”) under the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) when using online tracking technologies that collect and analyze information about how internet users interact with websites or mobile applications (“Tracking Technologies”). While the Bulletin emphasizes that Regulated Entities have always been prohibited from impermissible uses and disclosures of protected health information (“PHI”) collected through Tracking Technologies, including disclosing PHI to Tracking Technology vendors without entering into business associate agreements (“BAAs”), OCR has been relatively silent on this issue to date.

To highlight the application of HIPAA to Regulated Entities leveraging Tracking Technologies, the Bulletin provides several examples of how Tracking Technologies may collect and share PHI, including on authenticated and unauthenticated webpages, as well as mobile apps. In particular, the Bulletin describes how websites and mobile apps commonly use Tracking Technologies to collect information from users, including identifiers that are unique to users’ mobile devices. This information can then be used by the owner of a website or app, a related vendor, or a third party to gain insights about users’ online activities and to create a unique profile for each user. These insights and information can be used in beneficial ways to help improve care or the patient experience, but they can also be misused to promote misinformation and for other detrimental purposes.

In a nutshell, OCR’s Bulletin stresses that when an individual uses Regulated Entities’ websites or mobile apps, information such as the individual’s medical record number, home or email address, dates of appointments, IP address, geographic location, or medical device ID may constitute PHI subject to HIPAA and should be held by Regulated Entities accordingly. According to OCR, such information generally is PHI, even if the individual does not have an existing relationship with the Regulated Entity and even if the information does not include specific treatment or billing information like dates and types of health care services. Per OCR, this is because the information connects the individual to the Regulated Entity (i.e., it is indicative that the individual has received or will receive health care services or benefits from the covered entity), and thus relates to the individual’s past, present, or future health or health care or payment for care

Continue Reading HHS OCR Issues Bulletin on HIPAA Compliance for Tracking Technologies 

In its latest effort to increase transparency and improve patient access to information about their health care providers the U.S. Department Health and Human Services Centers for Medicare & Medicaid Services (CMS) published a Request for Information (RFI) on October 7, 2022, seeking input on creation of a national provider directory for use by patients, regulators, and insurers.  

According to the announcement, the RFI was prompted by inefficiencies arising from “the fragmentation of current provider directories” maintained by providers, insurers and/or third-party sources that CMS believes could be remedied by a federal provider directory containing “digital contact information containing the most accurate, up-to-date, and validated . . . data in a publicly accessible index.”

The stated goal of the RFI is to examine the feasibility and requirements for a proposed National Directory of Healthcare Providers and Service (NDH). Responses to the RFI are due by December 6, 2022, and stakeholder comments already are being submitted.

Continue Reading CMS Considers National Directory of Healthcare Providers and Services

The Department of Health and Human Services Office of Inspector General (HHS-OIG) recently published a Special Fraud Alert warning health care providers (e.g., prescribers, pharmacies, durable medical equipment providers, clinical laboratories) to steer clear of certain telemedicine arrangements and outlining seven “suspect” characteristics that may present heightened risk of fraud and abuse.

The alert coincides with a third round of criminal “telemedicine takedowns” announced by the Department of Justice (DOJ)  in the last several years, reflecting DOJ’s continued focus on identifying and dismantling fraudulent arrangements that exploit telemedicine technologies and related regulatory flexibilities in the wake of the COVID-19 pandemic.

Telemedicine technologies have created a multitude of opportunities for growth and innovation within the health care industry and are well-positioned to become an ongoing cornerstone of our health care delivery system. However, given the increased level of regulatory scrutiny of telemedicine arrangements, providers and telehealth technology companies, including drug and device manufacturers that offer telemedicine technologies (e.g., platforms, mobile applications) for prescribers and patients that facilitate virtual care,  should carefully plan and closely evaluate existing arrangements to ensure compliance with applicable state and federal laws and avoid implication amongst the recent uptick in enforcement.

Continue Reading Telehealth Under Scrutiny: OIG Special Fraud Alert and DOJ Enforcement Highlights Suspect Characteristics Associated with High-Risk Telemedicine Arrangements

The U.S. Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) released earlier this year the Trusted Exchange Framework and Common Agreement (TEFCA), which is intended to improve electronic interoperability among health information networks (HINs) and facilitate the exchange of health information among connected organizations. 

Importantly, TEFCA is not just about HINs.  Under TEFCA, any organization that connects to a HIN designated as a Qualified HIN (QHIN) may be able to meet many interoperability and information sharing obligations without implementing technology integrations on a request-by-request basis.  ONC believes that TEFCA will “reduce the need for duplicative network connectivity interfaces, which are costly, complex to create and maintain, and an inefficient use of provider and health IT developer resources.” ONC stated that connected organizations “will be able to share information with all other connected entities regardless of which QHIN they choose.” 

However, participation in TEFCA comes with a price.  Organizations that connect to QHINs, either directly or indirectly, will likely need to agree to new contractual requirements that flow-down from QHINs.

Continue Reading ONC’s Trusted Exchange Framework and Common Agreement (TEFCA): Impacts on Health Information Networks and Health Care Organizations

CMS recently issued updated Open Payments Frequently Asked Questions (FAQs). The FAQs are revised periodically to reflect the most up to date program requirements. This latest revision both added and removed FAQs, and also included some general edits.

The following FAQs were added: #2014, #2015, #2016, #2017, #2018, #2019, #2020, #2021 and #2022. Each new FAQ is reproduced in full below. They provide additional guidance regarding topics such as archived reporting years, salaries paid to covered recipients, reporting of device identifiers, valuing long-term device loans, debt forgiveness, and the definition of Nurse Practitioner.

Additionally, the following FAQs have been removed from the FAQ document “due to being no longer applicable, redundant with another FAQ, or of low utility” (according to CMS):
Continue Reading CMS Issues Updated Open Payments FAQs

The Department of Health and Human Services’ Office of Inspector General (“OIG”) recently issued a favorable advisory opinion to a digital health company that offers direct monetary incentives to patients as part of a technology-enabled contingency management program for patients with substance use disorders.

Contingency management, also known as motivational incentives, is a treatment approach that utilizes tangible rewards to reinforce positive behaviors (e.g., abstinence from opioids) and to motivate and sustain behavioral health efforts (e.g., treatment adherence) in patients who suffer from substance use disorders. Because these monetary incentives are an integral part of the protocol-driven and evidenced-based program, the OIG concluded that it would not impose sanctions under the federal Anti-Kickback Statute (“AKS”) or the Beneficiary Inducements Civil Monetary Penalty (“CMP”) provision, notwithstanding the involvement of federal health care program beneficiaries, providers/suppliers, and reimbursable services.

Nevertheless, the mitigating facts that motivated the OIG’s favorable treatment of the program here—namely, the clinical nature and independence of the program—could likely trigger compliance with other federal and state regulatory frameworks.
Continue Reading OIG blesses digital health substance use disorder treatment program paid for by providers and suppliers

Over the last decade, members of the medical and public health communities around the world have widely studied and acknowledged the impact of social determinants of health (SDOH)—the conditions in the environments where people live, learn, work, play, and age—on a wide range of health, functioning, and quality-of-life-risks and outcomes.[1]  In the past year

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), the agency that enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA), is the latest federal agency to jump on the HHS rulemaking bandwagon issuing a Notice of Proposed Rulemaking (NPRM) on December 10, 2020, that proposes pivotal changes

Just two business days before the first of many critical components of the new 21st Century Cures Act Interoperability, Information Blocking, and ONC Health IT Certification Program Final Rule (the “Final Rule”) were set to take effect, the U.S. Department of Health and Human Services (HHS) Office of the National Coordinator for Health IT (ONC)

Even amidst the chaos of a global pandemic, this year multiple U.S. Department of Health and Human Services (HHS) agencies have dialed in on promoting and enforcing patients’ rights to access their health information.

In just the past month, HHS’ Office for Civil Rights (OCR), the agency that enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA), settled five costly investigations with HIPAA-regulated parties for potential violations of the HIPAA right of access provision.  Under HIPAA, individuals have a legal, enforceable right to view and obtain copies, upon request, of the information in their medical and other health records maintained by a HIPAA covered entity, typically a health care provider or health plan, with limited exception.  Individuals generally have a right to access this information for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created, whether the information is maintained in paper or electronic systems onsite, remotely, or is archived, or where the information originated (e.g., whether the covered entity, another provider, or the patient).
Continue Reading Patient access to health information at the forefront of government initiatives and scrutiny

Following the distribution of billions of relief aid to healthcare providers and amidst the guidance issued around reopening of nursing homes throughout the country, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) unveiled a COVID-19 Response Strategic Plan on May 26, 2020 after updating its Workplan a few days earlier.

Following more than a month of silence from the U.S. Department of Health and Human Services (HHS) on the publication of its widely anticipated companion interoperability and information blocking final rules to the Federal Register, HHS’s Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare & Medicaid Services (CMS), in conjunction with the Office of the Inspector General (OIG), issued a joint statement announcing a policy of enforcement discretion to allow compliance flexibilities regarding the implementation of the final rules in response to the COVID-19 public health emergency.  The agencies indicated that they would continue to monitor the developing public health emergency to determine if further action is necessary.

OIG Proposed Rule

OIG issued an unpublished proposed rule amending the civil monetary penalty (CMP) regulations to include new CMP authorities for violations of ONC’s information blocking final rule.  OIG is seeking comment on when information blocking enforcement should begin, but has proposed to delay enforcement until 60 days after publication of the OIG’s final rule.  At a minimum, enforcement would not begin sooner than the compliance date for the ONC final rule established in 45 CFR § 171.101(b), which is November 2, 2020.

CMS Final Rule

CMS announced that the agency is extending the implementation timeline by an additional six months for certain components of its interoperability rule, including, for example, the admission, discharge, and transfer notification Conditions of Participation (CoPs).  In the unpublished version of CMS’ final rule, the agency initially stated these CoPs would be effective six months after the publication of the final rule.  Now, they will be effective one year after the final rule is published in the Federal Register – a date that is still to be determined.  CMS will implement and enforce other policies contained in the final rule on schedule.

ONC Final Rule

Earlier this week, ONC reissued the unpublished version of its final rule, which is now set for publication on May 1, 2020, with an effective date of June 30, 2020.  While the publication date triggers multiple compliance dates for various components of the interoperability and information blocking provisions (set at 60 days, 6 months, and 24 months following publication), the agency is changing that timeline for certain requirements in light of the COVID-19 crisis.  ONC has published new enforcement discretion dates and timeframes on its website.  We have summarized some key changes to the ONC final rule compliance timeline below.

Continue Reading HHS Delays Compliance for Sweeping Interoperability and Information Blocking Rules

The U.S. Department of Health and Human Services (HHS) issued eagerly anticipated and hotly debated companion interoperability and information blocking final rules that are expected to transform the way in which certain health care providers, health information technology (IT) developers, and health plans share patient information.  The two rules, issued by the HHS Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS), implement interoperability and patient access provisions of the 21st Century Cures Act (Cures Act) and support the MyHealthEData initiative, designed to allow patients to access their health claims information electronically through the application of their choosing.

Major provisions of each final rule are highlighted below. Note that the final rules have not yet been formally submitted to the Federal Register, so some of the precise effective dates are still to be determined.

ONC Final Rule

For Providers, Health Information Networks or Exchanges, and Health IT Developers

  • Prohibition on Information Blocking. Effective six months following the publication of the final rule, health care providers, health IT developers of certified health IT, and health information exchanges and networks, are banned from “information blocking.”  Information blocking is defined in the rule as engaging in a practice that is likely to interfere with, prevent, or materially discourage access, exchange or use of electronic health information (EHI) and, if (a) conducted by a health IT developer or health information network or exchange, such developer, network or exchange knows, or should know or (b) if conducted by a health care provider, such provider knows – the practice is likely to interfere with, prevent, or materially discourage access, exchange, or use of EHI.
    • EHI means electronic protected health information (EPHI) as the term is defined for HIPAA, to the extent that it would be included in a designated record set, with certain exceptions, regardless of whether the group of records are used or maintained by or for a HIPAA covered entity. This EHI definition will be effective 24 months after the publication of the final rule.  In the interim, for purposes of information blocking, EHI is limited to the EHI identified by the data elements represented in the U.S. Core Data for Interoperability (USCDI) standard.
    • Health care providers include health care facilities, entities, practitioners, and clinicians listed in the Public Health Service Act. ONC did not expand the definition of health care provider in the Final Rule to cover all individuals and entities covered by HIPAA.  However, the final rule leaves this door open by giving the Secretary of HHS discretion to expand the definition of health care provider to any other category the Secretary deems appropriate by future rulemaking.
  • Examples of Information Blocking. According to ONC, information blocking practices could involve, among other things: formal restrictions in contract or licensing terms; limiting or restricting the interoperability of health IT through organizational policies or procedures or other EHI or health IT documentation; information restrictions, such as if an entity simply refuses to exchange or facilitate access to EHI as a general practice or in isolated cases; or use of certain technological measures that limit EHI exchange.
  • Information Blocking Exceptions. The final rule identifies eight activities as exceptions to information blocking.  According to ONC, the exceptions apply to certain activities that are likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI, but that would be reasonable and necessary if certain conditions are met.  Each exception falls into one of two categories: (i) exceptions that involve not fulfilling requests to access, exchange, or use EHI; and (ii) exceptions that involve procedures for fulfilling requests to access, exchange, or use EHI.
  • Penalties for Information Blocking. Consistent with the Cures Act, ONC’s information blocking prohibition seeks to deter information blocking through penalties that differ based on the actor.  Health IT developers and health information networks and exchanges are subject to civil money penalties capped at $1 million per violation, while health care providers who violate the information blocking provisions may face unspecified disincentives for violations, to be determined by the appropriate HHS department or agency in subsequent rulemaking.


Continue Reading HHS Finalizes Healthcare Interoperability and Information Blocking Rules

The U.S. Department of Health and Human Services (HHS) started the new decade by keeping up its momentum to encourage patient engagement and support the secure expansion of digital health by releasing proposed rules and policy initiatives. On January 15, 2020, the HHS Office for the National Coordinator for Health Informational Technology (ONC) released a draft of its 2020-2025 Federal Health IT Strategic Plan (Plan). The outcomes-driven Plan, which ONC collaboratively developed with 25 federal organizations, aims to promote a health IT economy that balances increased transparency, competition, and consumer choice with privacy and security of patient health information. The Plan reflects HHS’ ongoing efforts to create pathways for patients to actively engage in their health outcomes and navigate personalized care alternatives.

The Plan is intended to serve as a five-year roadmap for federal health IT initiatives and activities, and to function as a catalyst for streamlined activities in the private sector. In particular, the Plan highlights four key goals with supporting objectives, all focused on meeting the needs of patients, caregivers, health care providers, payers, researchers, developers, and innovators by increasing access to health information, emphasizing product and pricing transparency, and encouraging interoperability.
Continue Reading HHS Sustains Digital Health Momentum and Continues Publishing Policy Initiatives to Kick-off 2020

Advocates have been pushing hard over the past couple of years for the reform and expansion of mental illness and substance use disorder (i.e., behavioral health) treatment in the U.S. The 21st Century Cures Act — which has cleared Congress and is awaiting the President’s signature — includes a number of important provisions that reflect those efforts, including sections intended to strengthen, promote, and expand access to information, care, and coverage with respect to behavioral health care across communities and for individuals, families, and the nation’s health care workforce. The Act also includes $1 billion in block grant funding to target the “epidemic of death” associated with the opioid abuse crisis.

Mental Health and Substance Abuse Disorder Provisions

In one of the most noteworthy behavioral health provisions, the Act strengthens leadership within the Substance Abuse and Mental Health Services Administration (SAMHSA) by creating a new Assistant Secretary position. The new role will oversee mental health and substance abuse research, funding, and evidence-based health care practices, and will drive and coordinate federal policy in this area.  To do so, the Assistant Secretary will consult with stakeholders to improve community-based and other mental health services, including care for adults and children with serious mental illness, as well as collaborate with other federal departments, including the Departments of Defense, Veterans Affairs, Housing and Urban Development, and Labor, to improve care for veterans and service members and support programs to address chronic homelessness.  The Assistant Secretary is also tasked with working with stakeholders to improve the recruitment and retention of mental health and substance use disorder professionals.
Continue Reading Major Mental Illness, Substance Use Disorder Reforms, Opioid Abuse Treatment Funding Included in 21st Century Cures Act

As a reminder, the Food and Drug Administration (FDA) is holding a two-day public meeting on November 9 and 10, 2016 regarding “Manufacturer Communications Regarding Unapproved Uses of Approved or Cleared Medical Products.”  The meeting comes at a time where recent litigation has raised hot-button issues regarding the relationship between FDA, off-label use of

The federal Food and Drug Administration (“FDA”) recently published a draft guidance on labeling for biosimilar products that is intended to assist applicants in developing draft labeling for proposed biosimilar products.

What is a biosimilar product?

Biosimilar products are biological products that are highly similar to an FDA-approved biological product, known as a reference product. Notwithstanding minor differences in clinically inactive components, there can be no clinically meaningful differences between the biological product and the reference product in terms of the safety and efficacy.  In 2010, the Biologics Price Competition and Innovation Act (“BPCIA”) was enacted as part of the Affordable Care Act in order to provide an abbreviated licensure pathway for a biosimilar that partly relies on the data originally submitted to the FDA by the reference product sponsor for approval.
Continue Reading FDA Issues Draft Guidance on Labeling For Biosimilar Products

On January 22, 2016, the federal Food and Drug Administration (“FDA”) issued a draft guidance outlining postmarket recommendations for medical device manufacturers to address cybersecurity risks.  The draft guidance details the agency’s specific recommendations, which address monitoring, identifying and managing cybersecurity vulnerabilities in medical devices that are software, or contain software (including firmware) or programmable logic once they have entered the market. The draft guidance represents a part of the agency’s ongoing efforts to ensure the safety and effectiveness of medical devices in the face of potential cyber threats at all stages in their lifecycles.  Specifically, the draft guidance follows multiple public workshops on the issue and previous FDA guidance titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” which contains premarket recommendations for managing cybersecurity risks during the design stage of device development.  We previously blogged about this here.
Continue Reading FDA Issues Postmarket Cybersecurity Recommendations for Medical Devices