The Centers for Medicare & Medicaid Services (“CMS”) recently published the proposed 2023 Physician Fee Schedule (“PFS”), which contains several important changes affecting Accountable Care Organizations (“ACOs”) that participate in the Medicare Shared Savings Program (“MSSP”), including a new Advanced Incentive Program. See Proposed 2023 PFS, 82 Fed. Reg. 45,860 (July 29, 2022).

ACOs enable health care providers to provide coordinated patient care to Medicare beneficiaries, and to share in the savings resulting from improved care. According to CMS, as of January 1, 2022, over 11 million Medicare beneficiaries receive care from 483 ACOs across the country. Id. at 46,093.

The proposed changes are intended to advance “growth, alignment, and equity,” and to “increase the percentage of people with Medicare in accountable care arrangements.” Id. at 46,093-94. Of note, and as described in a publication preceding the PFS, CMS proposed the changes to increase (i)  the number of beneficiaries assigned to MSSP ACOs; (ii) the number of higher spending populations in the program, since the change to regionally-adjusted benchmarks; and (iii) the representation of Black (or African American), Hispanic, Asian/Pacific Islander, and American Indian/Alaska Native beneficiaries assigned to MSSP ACOs, as compared to Non-Hispanic Whites.

Continue Reading CMS Aims to Grow ACO Participation

On July 20, 2022, the Office of Inspector General for the Department of Health and Human Services (“OIG”) issued a special fraud alert (“Alert”) advising “practitioners to exercise caution when entering into arrangements with purported telemedicine companies.” The Alert is only one of four such “special fraud alerts” that the OIG has issued in the past decade and it illustrates the importance of OIG’s statements.

OIG Flags Seven Characteristics of Telehealth Fraud

In the Alert, OIG cautions that certain companies that purport to provide telehealth, telemedicine, or telemarketing services (collectively, “Telemedicine Companies”) have carried out fraudulent schemes by: (i) aggressively recruiting physicians and non-physician practitioners (collectively, “Providers”) and (ii) paying kickbacks to such Providers in exchange for the ordering of unnecessary items or services, including durable medical equipment, genetic testing, and other prescription items. According to OIG, the fraudulent schemes have varied in design and operation and involved a variety of individuals, Providers, and health care vendors, including call centers, staffing companies, and marketers.

Continue Reading OIG Issues Special Fraud Alert Regarding Telemedicine Arrangements

On July 11, 2022, the Federal Trade Commission (FTC) published “Location, health, and other sensitive information: FTC committed to fully enforcing the law against illegal use and sharing of highly sensitive data,” on its Business Blog.  The blog post is likely related to an Executive Order (the “EO”) signed by President Biden in the wake of the Supreme Court’s Dobbs decision. Among other things, the EO directed the FTC to consider taking steps to protect consumers’ privacy when seeking information about and related to the provision of reproductive health care services.

While this latest drumbeat on this issue came from the FTC, we expect to see attention to this issue by other regulators, including, perhaps, the Department of Justice as well as state attorneys general.

Although the FTC post centers on location data and reproductive health services, it is likely that there will be more scrutiny of the collection and use of location data in general. This renewed focus will potentially subject a wide group of digital ecosystem participants to increased attention.  The spotlight will likely fall on interactive platforms, app publishers, software development kit (SDK) developers, data brokers and data analytics firms – over practices concerning the collection, sharing and perceived misuse of data generally.

The FTC blog post briefly explains the “opaque” world surrounding the collection of mobile location data (which the FTC asserts is often done without consumers’ full understanding) and the subsequent sharing and sale of information to data aggregators and brokers that then sell data access or data analysis products to marketers, researchers, or other businesses interested in gaining insights from alternative data sources. The post states that the misuse of mobile location and health information, including reproductive health data, “exposes consumers to significant harm.” As such, the FTC announced that it will “vigorously enforce the law if we uncover illegal conduct that exploits Americans’ location, health, or other sensitive data.”  More concrete legal requirements covering the collection and use of mobile location data may come with the passage of a bipartisan federal comprehensive privacy bill, but passage of this bill remains uncertain.

The FTC’s blog post closes with a few guidance tips on what companies should be considering when collecting or using sensitive consumer information, including location and health data:

  • Sensitive data is protected by various federal and state laws. Such laws include the FTC Act which regulates unfair and deceptive trade practices, the Children’s Online Privacy Protection Act (COPPA) and various state data privacy laws.
  • Examine claims that data “has been anonymized.” The FTC states that firms making misleading claims about anonymization in this area may violate the FTC Act, “especially in the context of location data.”
  • The agency will bring enforcement actions for misuse of consumer data. The post outlines several recent enforcement actions over misuse of sensitive consumer data, including location data.

The FTC’s blog post is just the latest in an increasing level of attention to the collection of data from mobile devices. As we’ve previously written about, the issue of location data has already garnered attention in Congress, and it would not be surprising to see some state legislatures – a number of which have already passed or considered comprehensive data privacy laws – take up the issue. Companies collecting or using mobile location data should pay close attention to developments in this area.

Fifty years of legal precedent established by Roe v. Wade, 410 U.S. 113 (1973), and Planned Parenthood of Southern Pa. v. Casey, 505 U.S. 833 (1992), were overturned in Dobbs v. Jackson Women’s Health Organization, holding that the Constitution does not confer a right to abortion and leaving abortion laws to individual states to decide. This new landscape has introduced a wave of legal questions, and among these are questions regarding the protection of personal information related to abortion and contraceptive services. In efforts to address some of these privacy questions, the Office for Civil Rights (“OCR”) of the Department of Health and Human Services (“HHS”) published new guidance with respect to the Health Information Portability and Accountability Act (HIPAA) Privacy Rule (“Privacy Rule”). The new HIPAA guidance generally reminds providers about their obligations under the Privacy Rule to safeguard patients’ protected health information (“PHI”), even under many circumstances where the information has been requested by government officials or in the context of litigation. In addition, recognizing the extent to which patient information is held on patients’ personal smartphones and not protected under HIPAA (e.g., data entered into personal health apps, search history related to abortion and other reproductive care, and geolocation data), yet may be relevant under new criminal and civil state abortion laws, HHS issued supplemental guidance to consumers on how to protect and secure personal information on phones and tablets that is not otherwise protected by HIPAA.

Under the Privacy Rule, disclosure of PHI without patient authorization is permitted only in “narrow circumstances”, and disclosure of PHI to law enforcement is limited based on the facts and the nature of the requests (e.g., court-ordered warrant, subpoena, or to prevent or lessen a “serious and imminent threat to health or safety.”)[1] The Privacy Rule expressly defers to a provider’s professional judgement in determining what constitutes a “serious and imminent threat”;[2] however, per the guidance, OCR has clarified that it is “inconsistent with professional standards of ethical conduct to make such a disclosure of PHI to law enforcement or others regarding an individual’s interest, intent, or prior experience with reproductive health care.”[3] Moreover, the “narrow circumstances” for disclosure include, but are not limited to, efforts to:

  • Comply with a court order, court-ordered warrant, subpoena, summons issued by a judicial officer, or a grand jury subpoena (45 CFR 164.512(f)(1)(ii)(A)-(B);
  • Respond to an administrative request[4] ((45 CFR 164.512(f)(1)(ii)(C));
  • Report PHI that a covered entity in good faith believes to be evidence of a crime that occurred on the covered entity’s premises (45 CFR 164.512(f)(5));
  • Respond to a request for PHI about a victim of a crime, and the victim agrees (45 CFR 164.512(f)(3)); and
  • Report PHI to law enforcement when required by law to do so (45 CFR 164.512(f)(1)(i)).

Thus, absent a court order, the Privacy Rule’s exceptions to disclose PHI for law enforcement purposes do not permit disclosure to law enforcement where a hospital or health care provider wishes to report an individual’s abortion or other reproductive health care. Thus, a hospital employee who suspects a patient of having an abortion in a state where it is illegal cannot report the planned abortion to law enforcement unless a state law specifically requires such reporting. HHS clarifies that a statement indicating an individual’s intent to get a legal abortion, or any other care tied to pregnancy loss, ectopic pregnancy, or other complications related to or involving a pregnancy does not qualify as a “serious and imminent threat to the health and safety” of a person or the public.[5] Disclosing such information to law enforcement under such circumstances would be impermissible and would constitute a breach of unsecured PHI, requiring notification to HHS and the individual affected.[6]

And, while the Privacy Rule generally does not protect the privacy or security of an individual’s health information when it is accessed through or stored on a personal cell phone or tablet, guidance released last week by HHS outlined how individuals can protect themselves. The Privacy Rule only applies when PHI is created, received, maintained, or transmitted by covered entities and business associates (e.g., health care providers and health insurers), and does not extend to protecting the privacy of an individual’s Internet search history, any information that one voluntarily shares online, or an individual’s geographic location information. Consequently, the guidance sheds light on the ways one can protect their digital footprint and decrease how devices collect and share health and personal information.

Moreover, in response to the Dobbs decision and increasing concerns that personal data will be used to incriminate people seeking abortions, Sen. Elizabeth Warren, supported by a slate of five Democratic senators, proposed the passing of the Health and Location Protection Act to bar “data brokers from selling or transferring location data and health data.” If approved, the bill would permit the Federal Trade Commission and states’ attorneys general to sue brokers found to be in violation of the law. Notably, the legislation would include exceptions for compliance with HIPAA.

The legislative and regulatory landscape addressing abortion and reproductive health services is certain to change in the near future as states respond to the Dobbs decision. As granted by Dobbs, states will now have the authority to enforce their own abortion rules, which creates an opportunity for widely varying state statutes, penalties, exceptions, circumstances, and a variety of other consequences across the country. Health care providers that provide a full spectrum of women’s health care services, including abortion, will need to review their policies and procedures to ensure compliance with state laws and to understand how the Dobbs decision affects the care they can provide to patients. Providers should be familiar with the new guidance to verify the circumstances under which HIPAA permits the disclosure of PHI without patient authorization.

Proskauer is available to assist with addressing the short- and long-term implications of the Dobbs decision in the wake of forthcoming regulatory changes.

[1] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html

[2] https://www.hhs.gov/hipaa/for-professionals/faq/3002/what-constitutes-serious-imminent-threat-that-would-permit-health-care-provider-disclose-phi-to-prevent-harm-patient-public-without-patients-authorization-permission/index.html

[3] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html

[4] Provided that: the information sought is relevant and material to a legitimate law enforcement inquiry; the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and de-identified information could not reasonably be used.

[5] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html

[6] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html

This past week, the Supreme Court of the United States (Supreme Court) denied UnitedHealthcare Insurance Company’s (UnitedHealthcare) petition for a writ of certiorari (Petition) challenging, in part, the Centers for Medicare & Medicaid Services’s (CMS) Overpayment Rule, which requires Medicare Advantage (MA) plans, such as UnitedHealthcare, to return identified “overpayments” to CMS within 60 days.  With this denial, the Overpayment Rule remains in full force and effect, and UnitedHealthcare, among other MA plans, must comply or potentially face False Claims Act (FCA) liability.

Continue Reading The Supreme Court Denies Petition Challenging CMS’s Overpayment Rule

The Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”), recently issued new regulatory guidance relating to covered entities’ HIPAA-compliant use of remote communication technologies for audio-only telehealth services. This guidance is a direct response to a December 2021 Executive Order that tasked HHS with developing HIPAA guidance for telehealth services, with the stated goals of improving “patient experience and convenience” as the COVID-19 public health emergency subsides. HHS has issued this guidance in anticipation of the national public health emergency ending, at which time OCR’s Telehealth Notification loses effect.

The new HIPAA guidance affects covered entities in four key ways.

Continue Reading HHS Issues HIPAA Guidance on Remote Communication Technologies for Audio-Only Telehealth

We previously discussed the requirements of the Hospital Price Transparency Rule (“Rule”) on health care providers and health plans, as well as CMS’s proposal to increase penalties for a hospital’s failure to comply with the Rule.  About a year and a half after the Rule became effective, CMS has now imposed its first set of civil monetary penalties (“CMPs”) on Northside Hospital Atlanta and Northside Hospital Cherokee, which have been fined $883,180 and $214,320, respectively.

The Rule requires, in part, hospitals to make public a machine-readable file containing a list of all standard charges for all items and services, such as, e.g., supplies, room and board, and use of the facility, among other items.  See 45 C.F.R. § 180.40(a); id. at § 180.20.  The Rule also requires hospitals to display shoppable services in a consumer-friendly manner.  See id. at § 180.60(d)(2); id. at § 180.60(b).  The goal of these specific requirements, in addition to those set forth in the remainder of the Rule, is to provide consumers with sufficient information about the charges for certain items and services by requiring health care providers and health plans to be publicly transparent about such charges.

Based on CMS’s CMP letters, dated June 7, 2022, Northside Hospital Atlanta and Northside Hospital Cherokee were non-compliant with the aforementioned specific requirements of the Rule.  The chronology of events is important to understand how CMS ended up issuing its CMP letters.

Continue Reading Health Care Providers on Alert: Two Hospitals Penalized for Continuous Noncompliance with the Hospital Price Transparency Rule

The onset of the COVID-19 public health emergency (“PHE”) led to a surge in the use of telehealth by health care providers. In addition, the PHE fueled a boom in the number of direct-to-consumer (“DTC”) telehealth platforms, many of which have relied upon COVID-19 regulatory waivers to launch and operate in multiple states across the nation. For the reasons discussed below, DTC telehealth platforms should re-visit their compliance plans and be prepared for increased state and federal regulatory scrutiny.

Continue Reading Key Legal Issues Facing Telehealth Platforms, as Compliance Concerns Bubble for Platforms Launched During the Public Health Emergency

As part of the Fiscal Year 2023 New York state Executive Budget legislation, $1.2 billion in funding has been allocated for the payment of bonuses for certain “frontline” healthcare workers.

With the stated goals to “recruit, retain, and reward health care and mental hygiene workers,” the provision – located within Part D of the Health and Mental Hygiene Bill, as amended – requires the state Commissioner of Health, in consultation with the state Commissioner of Labor and the Medicaid inspector general, to develop procedures to facilitate payment of claims to covered employers for the purpose of funding worker bonuses in accordance with the provision’s requirements.  Bonus amounts will be commensurate with the number of hours worked by covered workers during designated vesting periods up to a total of $3,000 per covered worker.

Continue Reading New York State to Fund Bonuses for Certain Healthcare Workers as Part of State Budget

The Department of Health and Human Services (“HHS”) has issued a formal request for information from the public about how regulated entities are implementing industry recognized security practices. The request for information represents a chance for the private sector to contribute to HHS regulation. Interested parties have until June 6, 2022 to submit comments.

HHS seeks this information to be better informed when making determinations regarding fines, audits, and remedies after a potential violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule. The request for information was issued by HHS’s Office for Civil Rights (“OCR”), which enforces the privacy and security rules for health providers and insurers that hold health data.

The Health Information Technology for Economic and Clinical Health (“HITECH”) Act requires that HHS consider industry recognized security practices during enforcement, and does not require nor prohibit rulemaking based on the same. The HITECH Act defines “recognized security practices” as (i) the standards found in section 2(c)(15) of the National Institute of Standards and Technology (“NIST”) Act, (ii) the approaches found in section 405(d) of the Cybersecurity Act of 2015, and (iii) “other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities”. OCR seeks information in order to improve guidelines about these standards.

Uncorrected violations under the HITECH Act can carry a minimum of $50,000 per violation in civil penalties. Enforcement actions are initiated by OCR through investigating complaints alleging violations of HIPAA Rules, as well as compliance reviews conducted by OCR following a breach report. Covered entities are required to submit breach reports after cybersecurity incidents under certain circumstances.

The request for information, found here contains specific prompts on the topic.