On March 17, the Trump Administration announced expanded reimbursement for clinicians providing telehealth services for Medicare beneficiaries during the COVID-19 Public Health Emergency. The Centers for Medicare and Medicaid Services (CMS) published an announcement, a fact sheet and Frequently Asked Questions.  To further facilitate telehealth services, the Office for Civil Rights (OCR) issued a notification describing certain technologies that would be permitted to be used for telehealth without being subject to penalties under the Health Insurance Portability and Accountability Act regulations (HIPAA). In addition, the Office of Inspector General (OIG) announced it will allow healthcare providers to reduce or waive cost-sharing for telehealth visits.
Continue Reading Federal Government Significantly Expands Telehealth Reimbursement During COVID-19 Public Health Emergency

Following the President’s proclamation on March 13 that the COVID-19 outbreak constitutes a national emergency, Secretary of the Department of Health and Human Services (HHS) Alex Azar issued a Waiver or Modification of Requirements Under Section 1135 of the Social Security Act (full text available here) that waives or modifies certain health care laws and regulations in connection with the COVID-19 pandemic.  This “1135 Waiver” applies nationwide and took effect on March 15 at 6:00 p.m., but its applicability is retroactive to March 1, 2020.  The 1135 Waiver applies for a period of 60 days (subject to extension by the Secretary for successive 60-day periods) or for the duration of the COVID-19 national emergency (if earlier), except the waiver of the HIPAA Privacy Rule described below applies for only 72 hours following a hospital’s implementation of its disaster protocol.
Continue Reading HHS Issues Section 1135 Waiver, and CMS Issues Blanket Waivers of Health Care Laws, in Response to Coronavirus (COVID-19) Emergency

The Office of Civil Rights (OCR) last month provided guidance and a reminder to HIPAA covered entities and their business associates regarding the sharing of patient health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule during an outbreak or emergency situation such as what we are all facing right now with the Novel Coronavirus (2019-nCoV) outbreak.
Continue Reading U.S. Health & Human Services – Office of Civil Rights Issued Guidance Regarding HIPAA Privacy and Novel Coronavirus

The Centers for Medicare and Medicaid Services (CMS) requested an audit by the Office of Inspector General (OIG) of Medicare Part D eligibility verification transactions (E1) transactions. The OIG recently released its report which found that the majority of the providers evaluated used E1 transactions for some inappropriate purpose other than to bill for a prescription or to determine drug coverage billing order.

What are E1 transactions and why is this information disturbing?
Continue Reading OIG Audit Finds that Majority of Part D Providers Surveyed Used E1 Transactions for Potentially Inappropriate Purposes

The Office for Civil Rights (OCR) announced on October 23, 2019 that Jackson Health System (Jackson), a not-for-profit hospital system comprised of six hospitals, urgent care centers, nursing facilities, and primary care and specialty services based in Miami, Florida, has waived its right to a hearing and did not contest the findings set forth in the OCR’s Notice of Proposed Determination (NPD), and has agreed to pay the full civil monetary penalty assessed by OCR. This unusual step means that Jackson will pay the full fine of $2.15 million.

According to the OCR, Jackson notified the OCR in 2013 that paper records of 256 patients’ personal health information (PHI) located in three boxes were lost in 2012. It thereafter reported in 2016 that the loss was actually 1,436 patient records.


Continue Reading Jackson Health System Fined by OCR

On October 17, 2019, the Department of Health and Human Services (HHS) published proposed rules to update the regulatory Anti-Kickback Statute (AKS) safe-harbors and exceptions to the Physician Self-Referral (PSR) Law, known commonly as the Stark Law (AKS proposed rule available here; PSR proposed rule available here). In an earlier blog post, we described each of the proposed rules. Among the proposed changes are a new safe harbor/exception that would generally permit entities to donate certain cybersecurity technology and related services to physicians, subject to compliance with the conditions described below. In the preamble to each proposed rule, the HHS Office of Inspector General (OIG) (which published the AKS proposed rule) and the Centers for Medicare and Medicaid Services (CMS) (which published the PSR proposed rule) noted that cyber-attacks in the health care industry are on the rise and cybersecurity technology can be cost-prohibitive for some providers. Both OIG and CMS stated their hope that the proposed rules will improve overall cybersecurity in the health care industry and reduce instances of data breaches resulting from cyber-attacks.
Continue Reading HHS Proposes Changes to Permit Donation of Cybersecurity Technology

On August 26, 2019, the Department of Health and Human Services Substance Abuse and Mental Health Services Administration (SAMHSA) published a notice of proposed rulemaking (NPRM) to “better align” its substance use disorder (SUD) confidentiality regulations at 42 C.F.R. Part 2 (Part 2) with the needs of providers and patients, and to “facilitate the provision of well-coordinated care” for individuals with SUD.
Continue Reading Spurred by Opioid Crisis, Government Proposes Additional Changes to Substance Use Disorder Confidentiality Regulations to Facilitate Provision of Coordinated Care

In its second quarter Securities Exchange Commission (SEC) filing, Allscripts addressed its announced agreement in principle with the Department of Justice (DOJ) to resolve investigations into certain alleged practices of Practice Fusion, an electronic health records (EHR) vendor acquired by Allscripts in February 2018 for $100 million. Allscripts indicated the agreement is still subject to further negotiation and government approval, and would likely include additional non-monetary terms, including a deferred prosecution agreement, if a finalized settlement is reached.
Continue Reading Allscripts Announces $145 Million Preliminary Settlement with DOJ Related to an Investigation of Practice Fusion, a Recently Acquired EHR Company

On July 25, 2019, New York Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) into law. The SHIELD Act modifies the current Breach Notification Law to expand the types of data elements that are considered “private information” and to expand the data breach disclosure requirements for individuals and businesses. Moreover, the law creates a requirement that owners or licensors of private information meet a new “reasonable security requirement.”
Continue Reading SHIELD Act Becomes Law, Expanding Breach Notification and Data Security Requirements

On July 30, 2019, the Centers for Medicare & Medicaid Services (CMS) announced “Data at the Point of Care” (DPC), a pilot program that will provide clinicians with access to claims data. The pilot program follows on the heels of the recently proposed Interoperability and Patient Access Proposed Rule, which would require regulated health plans to make patient data available through an application programming interface (API). These actions are also part of the MyHealthEData initiative spearheaded by the White House Office of American Innovation.
Continue Reading CMS Announces Pilot Program for Clinicians to View Claims Data of Medicare Beneficiaries