HIPAA enforcement actions in the past year have continued to focus on the patient right to access initiative and large scale data breaches. While most of the recent enforcement actions focused on the patient right to access initiative, two noteworthy settlements stemmed from covered entities disclosing protected health information in response to negative online reviews.

Over the past year, the types, sizes, and locations of the investigated entities varied, and resulted in settlements ranging from $3,500 – $240,000. Department of Health and Human Services Office for Civil Rights (“OCR”) seemed to consistently impose comparatively higher settlements amounts for violations that resulted in large scale data breaches.

Continue Reading Patient access and big-ticket data breaches lead OCR enforcement initiatives

The comment period for the U.S. Department of Health and Human Services Office for Civil Rights (OCR proposed changes to Privacy Rule ended on June 16, 2023, and the first portion of comments have been released to the public. As of June 19, 2023, 25,905 comments were submitted to the U.S. Department of Health and Human Services Office for Civil Rights (OCR), with 65 of those comments being made publicly available for review.

The publicly available comments can be viewed on Regulations.gov under the “Browse Posted Comments” tab. The relevant changes at issue were announced on Monday, April 12, 2023 by the OCR issuing a notice of proposed rulemaking (NPRM) to modify the HIPPA Privacy Rule to address the release of reproductive health care information to third parties for the purposes of civil, administrative, or criminal proceedings for care that is lawfully obtained.

Continue Reading HIPAA Privacy Rule commenters express concerns about privacy, health outcomes, LQBTQIA+ rights, and historical health care disparities

Note: This is Part 2 in a series of blog posts on developments from the U.S. Food and Drug Administration (“FDA”) regarding its commitments set forth under the Prescription Drug Under Fee Act Reauthorization Performance Goals and Clinical Trial Diversity and Modernization mandates established by Congress under the Food and Drug Omnibus Reform Act of 2022 (FDORA), including developments on the intersection and use of digital health technology in clinical trials and clinical trial diversity. Part 1, covering the Digital Health Technologies framework is available here.

The Food and Drug Administration (FDA) has released draft guidance intended to help modernize the design and conduct of clinical trials by making them more efficient and enabling them to incorporate the newest technological and methodological advancements into their design.

FDA continues to issue guidance in the wake of the Food and Drug Omnibus Reform Act of 2022 (FDORA), which in part requires FDA to provide further oversight and guidance on “Clinical Trial Diversity and Modernization.” Under Section 3607(c) of FDORA, consistent with its obligations modernize clinical trials, FDA is specifically required to “work with foreign regulators pursuant to memoranda of understanding or other arrangements governing the exchange of information to facilitate international harmonization of the regulation” as it pertains to innovative approaches to clinical trial design and implementation.

Continue Reading FDA Issues Draft Guidance on Good Clinical Practice in Ongoing Clinical Trial Modernization Efforts

Almost two years after issuing its Interim Final Rule requiring COVID-19 vaccination for certain health care works, the Centers for Medicare and Medicaid Services (“CMS”) has issued a final rule addressing several regulations regarding COVID-19 vaccination, testing, and education requirements in health care facilities.

In short, the rule eliminates the COVID-19 vaccine requirement for staff at certain categories of Medicare-participating health care providers and ends COVID-19 vaccination testing requirements for staff at long-term care (“LTC”) facilities. Additionally, the rule finalizes previously interim provisions regarding COVID-19 vaccination “educate and offer” requirements for residents, staff, and clients at LTC facilities and Intermediate Care Facilities for Individuals with Intellectual Disabilities (“ICFs-IID”).

The rule states that rolling back COVID-19 vaccination and testing requirements enacted during the pandemic aligns with the end of Public Health Emergency (“PHE”) on May 11, 2023 and the concomitant reduction in infection rates, decline in deaths, and significant vaccination uptake by the public.

Continue Reading CMS Withdraws Health Care Staff Vaccination Requirements

Earlier this month, in response to the end of the COVID-19 public health emergency, the Department of Health and Human Services (“HHS”) issued the Eleventh Amendment to the declaration under the Public Readiness and Emergency Preparedness Act (“PREP Act”) for medical countermeasures against COVID-19. The PREP Act allows the Secretary of HHS to provide liability immunity, through a declaration, to certain individuals and entities against claims associated with the manufacture, distribution, administration, or use of certain defined medical products or devices, referred to as countermeasures.

HHS originally announced this PREP Act declaration in January 2020 in response to the COVID-19 pandemic (the “Declaration”).  The Declaration has been amended at various points throughout the pandemic.  This latest amendment makes several different updates:

Continue Reading HHS Amends and Extends COVID-19 PREP Act Declaration

On May 3, New York Governor Kathy Hochul signed into law provisions that will require health care entities to submit a notification to the state Department of Health (DOH) providing information about any material transaction involving that health care entity.

The law, passed as part of the state’s budget, was originally crafted to give the DOH authority to review and approve those transactions. Ultimately, following several iterations during the legislative process, that approval power was stripped out by the state general assembly and replaced with the current notice requirement.

The law will take effect on August 1, 2023 and states on its face that it will apply to all “material transactions” involving health care entities that close on or after that date. That said, the requirements for transactions that close between August 1 and August 31 are a somewhat open question, given the 30-day notice requirement in the law. The DOH is tasked by the law with creating regulations that may address this situation.

Continue Reading New York Passes Health Care Transaction Notice Requirements

On April 24, 2023, the OIG formally announced that it will be modernizing its existing Compliance Program Guidance (“CPG”).

The OIG has provided a CPG for various industry subsections since 1998.  Each CPG was developed in an effort to set forth voluntary compliance standards to be utilized in identifying and preventing fraud and abuse in federal health care programs.  In September 2021, the OIG published a request for information (“RFI”), wherein OIG requested insight on how providers use CPG and what improvements could be made to provide more relevant and accessible guidance.  

Providers and other industry representatives made recommendations including, but not limited to, creating industry-specific guidance, consolidating existing CPG, enabling user-friendly access to CPG, and ensuring ongoing updates to identify the OIG’s current positions on new and emerging risks in health care.

Continue Reading OIG announces Modernization of Compliance Program Guidance

On April 24, 2023, the Department of Health and Human Services’ Office of Inspector General (“OIG”) issued a modification to advisory opinion 20-04, from July 2020, where the OIG opined favorably on the proposal to purchase or receive donations of unpaid medical debt owed by qualifying patients from certain types of health care providers, including hospitals, and then forgive that debt.  Now, the OIG has been asked to modify certain conditions related to the public disclosure of hospitals’ donation or sale of medical debt. The requestor of the modification is a charitable organization that locates, buys, and forgives individual patents’ medical debt.

Continue Reading OIG Approves Charity’s Modifications to Plan to Purchase and Forgive Medical Debt

The Centers for Medicare and Medicaid Services (CMS) released a pair of proposed rules on April 27, 2023 that make substantial changes to the structure of Medicaid and the Children’s Health Insurance Program (CHIP), both in the traditional fee-for-service setting and for services provided through managed care organizations (MCOs), and incorporate feedback from stakeholders in a request for information process. Of note, these changes follow closely on the end of the COVID-19 suspension of enrollment processes for Medicaid, which resulted in continuous enrollment for beneficiaries without a need to demonstrate continued qualification for coverage. The rules are not yet published officially, but that publication is expected by next week.

According to CMS, the changes proposed in these new rules are meant to work in conjunction with an earlier proposed rule that streamlined eligibility and enrollment procedures in order to improve access to services and supports through the Medicaid and CHIP program. They do so by creating new standards of timely access and specifying medical loss ratio (MLR) requirements, as well as adding additional avenues for beneficiary feedback and advisory committees to inform state Medicaid directors of best practices.

Below is a high-level summary of some of the more material changes that are proposed in these rules. We will address the rules in more details in later alerts and blog posts.

Medical Loss Ratios and Access to Managed Care

The first of the two proposed rules from CMS addresses access in the managed care context. The rule, Medicaid and Children’s Health Insurance Program (CHIP) Managed Care Access, Finance, and Quality (CMS-2439-P) is scheduled for publication in the Federal Register on May 3, 2023 and has a 60-day comment period, with comments due by July 3, 2023.

Of particular note are the changes that the rule makes to the MLR regulations applicable to Medicaid MCOs. The rule attempts to realign the Medicaid and CHIP MLR regulations with those in existence for Qualified Health Plans and Medicare Advantage organizations. The rule accomplishes this by making changes to (1) the provider incentive arrangement standards, (2) the quality improvement activity reporting, and (3) the expense allocation methodology reporting.

Additionally, the rule attempts to increase access to services within the managed care model by, among other items, establishing maximum wait time standards for routine primary care, establishing a process whereby states use a “secret shopper” method to validate MCO compliance with wait time standards, and conduct annual enrollee experience surveys that are backed by a remedy plan where feedback dictates action.

The rule also makes changes to the State Directed Payment  process to help states use those programs to implement value-based arrangements and include non-network providers to drive quality care to Medicaid and CHIP beneficiaries. The rule includes requirements for the use of state directed payments and increased reporting requirements for states that use such a system.

Changes to Medical Care Advisory System

The second rule, Ensuring Access to Medicaid Services (CMS-2442-P), also has a May, 3, 2023 scheduled publication date and a July 3, 2023 comment date. This rule proposes to “take a comprehensive approach to improving access to care, quality and health outcomes, and better addressing health equity issues in the Medicaid program.”

The primary vehicle that the rule uses to accomplish this goal is a drastic change to the use of advisory committees in the Medicaid care process. The rule first changes the name of the committee to the Medicaid Advisory Committee and then sets forth in detail not only the membership requirements of the committee, but also on the scope of advice that the committee can provide—including policy and effective administration of the Medicaid program.

The rule also establishes a Beneficiary Advisory Group, which it sees as a vehicle for Medicaid beneficiaries, their families and related advocacy groups to provide feedback to the state on the effectiveness and coverage provided by the Medicaid program in that state.

Finally, for the fee-for-service programs, the rule proposes an interested parties advisory group to help the state with rate setting and other issues governing Home and Community Based Services within the state.

We will provide a more detailed analysis of each of the provisions, and their implications for providers and MCOs, of these rules in the coming weeks. If you have any questions or would like to comment on the regulations, please reach out to the health care lawyers at Reed Smith.

In part I, we discussed whether federal district courts could exercise jurisdiction under the federal-question statute over legal challenges to overpayment determinations made by the Centers for Medicare & Medicaid Services (CMS) under the agency’s controversial Risk Adjustment Data Validation (RADV) program for Medicare Advantage (MA) organizations. In part II, we discussed whether MA organizations must exhaust administrative remedies before filing suit under the federal-question statute.

In this final installment, we discuss a litigation nuance of potential significance in this unique context: namely, whether a district court may find that a MA organization can only challenge a RADV overpayment determination in the United States Court of Federal Claims.

Continue Reading A Potential Route to RADV Judicial Review: Part III

The Department of Health and Human Services (HHS) has issued a notice of proposed rulemaking that removes an exception to the definition of “lawfully present” that would then serve to include in that term individuals who have obtained temporary immigration status under the Deferred Action for Childhood Arrivals (DACA) program.

The expansion of the the definition of “lawfully present” would allow DACA recipients as of November 1, 2023 to enroll in a qualified health plan (QHP) from a health insurance exchange as established by the Affordable Care Act. Additionally, the definition change would open up eligibility for DACA recipients to enroll in a Basic Health Program, or Medicaid and the Children’s Health Insurance Program (CHIP) in states that have elected to cover “lawfully residing” pregnant individuals and children.

Continue Reading DACA Recipients Can Enroll in Qualified Health Plans under Proposed HHS Rule

On April 18, 2023, the U.S. Department of Health and Human Services (“HHS”) announced its plan to maintain access to COVID-19 vaccines and treatment following the end of the Public Health Emergency on May 11, 2023. The “HHS Bridge Access Program for COVID-19 Vaccines and Treatments” is a $1.1 billion public-private partnership between HHS, pharmacy chains, and drug manufacturers. Essentially, HHS and drug manufacturers will provide COVID-19 vaccines and treatments, like Paxlovid and Lagevrio, to pharmacy chains, which will administer them to individuals without insurance at no cost.

Under the program, the Centers for Disease Control and Prevention (“CDC”), will use its existing authority under Section 317 of the Public Health Service Act to purchase and distribute COVID-19 vaccines and allocate them through its network of 64 state and local health departments, as well as through Health Resources and Services Administration (“HRSA”) supported health centers.

Continue Reading HHS Proposes Bridge Access Program for COVID-19 Vaccines and Treatments

On Monday, April 12, 2023, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued a notice of proposed rulemaking (NPRM) to modify the HIPAA Privacy Rule to address the release of reproductive health care information to third parties for the purposes of civil, administrative, or criminal proceedings for care that is lawfully obtained.

OCR has also released a fact sheet on this NPRM. The NPRM included: (1) the addition of new protections with respect to certain information related to reproductive health care; (2) a new obligation for regulated entities to obtain “attestations” (which are different from HIPAA’s traditional authorization) before responding to requests for certain PHI related to reproductive health care; and (3) the modification of the definition of “person,” and the addition of several new definitions.

Continue Reading Proposed changes to HIPAA highlight increased demands for third party access to reproductive health data

Note: This is Part 1 in a series of blog posts on developments from the U.S. Food and Drug Administration (“FDA”) regarding its commitments set forth under the Prescription Drug Under Fee Act Reauthorization Performance Goals and Clinical Trial Diversity and Modernization mandates established by Congress under the Food and Drug Omnibus Reform Act of 2022 (FDORA), including developments on the intersection and use of digital health technology in clinical trials and clinical trial diversity.

The Food and Drug Omnibus Reform Act of 2022 (FDORA) signed by President Biden on December 29, 2022, introduced significant changes to the way in which FDA will provide oversight for clinical trials as it pertains to “Clinical Trial Diversity and Modernization.” Under FDORA, among other things, FDA is required to issue guidance on decentralized clinical trials (which is a clinical trial in which some or all trial-related activities occur at a location separate from the investigator’s location) and to provide clarification on the use of digital health technologies (DHTs) in clinical trials.

Prior to the passage of FDORA, FDA set its sights on DHTs in the Prescription Drug User Fee Act (PDUFA) VII Commitment Letter, acknowledging the increased use of DHTs in drug development and the need for appropriate internal expertise and external guidance for their use and evaluation.

Continue Reading New Opportunities, New Challenges: FDA Elaborates on use of Digital Health in Drug and Biological Product Development

In part I, we discussed whether federal district courts could exercise jurisdiction under the federal-question statute over legal challenges to overpayment determinations made by the Centers for Medicare & Medicaid Services (CMS) under the agency’s controversial Risk Adjustment Data Validation (RADV) program for Medicare Advantage (MA) organizations. After concluding that existing Supreme Court precedent provided a substantial basis for arguing in favor of such jurisdiction, we left for another day the antecedent question whether MA organizations must exhaust administrative remedies before filing suit under the federal-question statute.

The seemingly straightforward exhaustion question presents a host of considerations that belie a one-size-fits-all answer. The practical answer likely depends on the nature of the specific overpayment determination at issue and the grounds upon which the MA organization wishes to challenge that determination.

Continue Reading A Potential Route to RADV Judicial Review: Part II

On March 24, 2023, the Department of Health and Human Services’ Office of Inspector General (“OIG”) issued an advisory opinion in response to a proposal by a laboratory test kit company to provide prepaid gift cards to individuals, including federal health care program beneficiaries, to encourage use of its colorectal cancer screening test. The company specifically requested the opinion to determine whether the proposed gift card arrangement would constitute grounds for sanctions under federal Anti-Kickback Statute (“AKS”) and other sections of the Social Security Act. The OIG concluded that while proposed arrangement would generate prohibited remuneration under the AKS if the requisite intent were present, it would not impose administrative sanctions if the company implemented the gift card arrangement.

The company’s parent entity manufactures a non-invasive colorectal cancer screening test that has been approved by the U.S. Food and Drug Administration. The screening test is covered by Medicare Part B every three years for beneficiaries aged 45 and older, if the beneficiary meets certain criteria. It may be ordered for a patient only by a health care provider with prescribing authority. After an order is placed, the company ships its sample collection kit directly to a patient’s home. The patient then collects a stool sample and ships it back to the company in a prepaid, preaddressed package. The sample is subsequently analyzed by a laboratory for presence of colorectal cancer or other indicators of disease.

Continue Reading OIG approves lab company’s gift card proposal for colorectal cancer screening kits

Taking a quick break from your regularly scheduled health policy and litigation analysis to let you know, if you want to get some of this analysis in person straight from the authors of this blog (along with CLE credit!), we are hosting our Ninth Annual Washington Health Care Conference in beautiful downtown Washington D.C. on April 25.

The event runs from 10 am until 4 pm and will be held at the Hamilton Hotel on 14th St. NW. There could still be space for you to attend if you act fast.

Many of the experts that you have come to rely on through this blog will either be speaking or in attendance. Additionally, there will be outside experts including our keynote speaker, Bob Kocher, a Partner at Venrock who is also an adjunct professor at Stanford University School of Medicine and a Senior Fellow at the Schaeffer Center for Health Policy and Economics at USC.

Here is the agenda. It includes sessions on such wide ranging and divergent topics as Digital Health and AI, HR and employment issues, health care transactions for private equity, post-Dobbs practical advice, and enforcement trends that we are seeing in the fields of antitrust, drug and device regulation, and health care fraud.

To register for the conference, please click here. A lunch buffet and a networking cocktail hour after the sessions are included.

The Medicare Act does not expressly provide for judicial review of overpayment determinations made by the Centers for Medicare & Medicaid Services (CMS) under the agency’s controversial Risk Adjustment Data Validation (RADV) program for Medicare Advantage (MA) organizations. With the first wave of such overpayment determinations expected in the coming months, MA organizations impacted by RADV audits should begin considering a potential route to judicial review of such overpayment determinations and whether courts may deem exhaustion of administrative remedies a prerequisite to judicial review.

Continue Reading A Potential Route to RADV Judicial Review: Part I

On April 7, 2023, only minutes apart, two federal district courts issued rulings on cases challenging the Food and Drug Administration’s regulations governing mifepristone, a key medication for women seeking an abortion. Both rulings faulted the FDA’s handling of the approval and its subsequent restrictions on the dispensing of mifepristone, but the two rulings came to very different conclusions as to what the availability of the drug should be.

Judge Matthew Kacsmaryk of the U.S. District Court for the Northern District of Texas issued a 67-page opinion ordering that the FDA’s initial approval of the drug, which was approved in 2000, should be stayed pending the court’s full review of the merits of the case. The court then stayed its own order for seven days to allow the FDA to appeal to the U.S. Court of Appeals for the Fifth Circuit.

Just minutes later, Judge Thomas Rice of the U.S. District Court for the Eastern District of Washington issued a 31-page opinion ordering FDA and HHS not to make any changes to the availability of mifepristone under the current operative Risk Evaluation and Mitigation Strategy (REMS) program, which requires the drug to be prescribed and dispensed only by certified providers, among other requirements. Unlike Judge Kacsmaryk, whose injunction has nationwide effect, Judge Rice limited the effect of his order to only the 17 states and the District of Columbia who brought the challenge in his court. The 17 plaintiff states in this lawsuit are: Arizona, Colorado, Connecticut, Delaware, Hawaii, Illinois, Maine, Maryland, Michigan, Minnesota, Nevada, New Mexico, Oregon, Pennsylvania, Rhode Island, Vermont, and Washington and the District of Columbia.

The most difficult-to-reconcile aspect of the two orders is the fact that Judge Kacsmaryk’s order is a nationwide stay of the drug’s approval, while Judge Rice’s order to maintain the status quo availability only applies to the specific plaintiffs.  Notably absent from the Washington order’s applicability would be California, Massachusetts, New Jersey, New York, North Carolina, New Hampshire, and Virginia.

Continue Reading Mifepristone Cases – Our Thoughts

Health care and health care-adjacent organizations are seeing a steep increase in risk arising from the frequently utilized third-party analytics and advertising services on their websites, mobile applications, patient portals, and other Internet-connected services. Those organizations should pay attention to new regulatory guidance, published settlements with regulators, and an onslaught of class action filings stemming from their use of third-party services that rely on tracking website and mobile application usage activity. The results of recent settlements with class action plaintiffs and regulators have included bans on disclosing health information for any advertising purposes, long-term regulatory oversight of the organizations’ data sharing practices, and millions of dollars in penalties and payments.

Wendell Bartnick, Nancy Halstead, Angela Matney, and Vicki Tankle discuss why the risk has recently increased, in addition to examining a few considerations for mitigation in this Reed Smith client alert.

Reed Smith will continue to follow the developments in this area. If you have any questions about this or any other healthcare third-party tracker compliance developments, please reach out to the health care lawyers at Reed Smith.