ONC Delays Timeframes for Information Blocking and Changes To Health IT Certification Program

Last week, the Department of Health and Human Services (“HHS”) Office of the National Coordinator for Health Information Technology (“ONC”) announced an Interim Final Rule with Comment Period (“IFC”) delaying compliance dates and timeframes for information blocking and the health IT certification program. This delay will come as a welcome change for “Actors” (i.e., health care providers and developers of certified Health IT) struggling to implement changes amid the COVID pandemic.


ONC issued the Cures Act Final Rule (the “Final Rule”) in March 2020 to implement the 21st Century Cures Act’s information blocking provision and establish additional health information technology (“health IT”) certification requirements. A month later, in response to concerns raised regarding the COVID-19 pandemic by health IT developers, ONC delayed effective dates for three months longer than initially proposed. The IFC expands upon these revised timeframes to give providers additional flexibility to prioritize their pandemic responses. Continue Reading

Cross-Post from Law360: Key Gov’t Tools For Addressing National PPE Shortages

This is a Cross-Post from Law360.  Please contact Sarah Rathke with any questions.

The COVID-19 pandemic has revealed shortcomings in U.S. supply chains requiring immediate action to continue to provide personal protective equipment (“PPE”) during the ongoing crisis.  Here, we’ve been published in Law360, discussing federal solutions for our national PPE shortages.  Read the full article here.

HHS pirouettes back to original position that Provider Relief Fund payments may be used to replace gross revenue, not just profits, lost due to the coronavirus

On October 22, the Department of Health and Human Services (HHS) updated its guidance on how hospitals and other providers should report their use of the nearly $135 billion in Provider Relief Fund payments that have been distributed.  The Provider Relief Fund, initially established by the Coronavirus Aid, Relief, and Economic Security (CARES) Act, is intended to cover provider expenses and lost revenues attributable to the coronavirus pandemic.  HHS’s latest guidance is a huge victory for providers on how much of the funds may be used for lost revenues.  Providers are to calculate and report their use of the funds for lost revenue “up to the amount of the difference between their 2019 and 2020 actual patient care revenue.”  The funds may also be used to replace coronavirus-related revenue losses in the first half of 2021, by performing similar comparisons to 2019 revenue.

HHS’s latest instruction overrides its guidance from September limiting eligible “lost revenues” to lost profits from patient revenue.  But that September guidance surprised providers because it appeared to contradict the agency’s original instruction, from a June 2019 FAQ, that the funds may be used to replace any revenue lost due to the coronavirus and used to cover any costs the lost revenue would otherwise have covered (except salary amounts over $197,300).  HHS explained that it has reversed course because the September guidance “generated significant … opposition from many stakeholders and Members of Congress” and the consensus is that providers should be allowed to apply Provider Relief Fund “payments against all lost revenues without limitation.”

HHS’s guidance provides detailed instructions for reporting additional expenses and revenue losses.  The portal for reporting the use of Provider Relief Funds is scheduled to open on January 15, 2021, and the first reports are due on February 15, 2021.

CMS Adds 11 New Approved Telehealth Services During the COVID-19 Pandemic and Updates Guidance to States on Medicaid Telehealth Expansion

On October 14, the Centers for Medicare and Medicaid Services (CMS) announced that it has expanded its list of telehealth services approved for Medicare beneficiaries during the COVID-19 Public Health Emergency (PHE).  The eleven telehealth services CMS just added are for cardiac and pulmonary rehabilitation.  CMS approved them using an expedited process it unveiled in a May Interim Final Rule.  These eleven new services, along with many others designated as temporary, will remain in effect for the duration of the PHE.

CMS simultaneously announced preliminary data showing an explosive 2600% growth in the use of telehealth by Medicaid and CHIP beneficiaries between March and June 2020, as compared to that time last year.  “To further drive telehealth” among Medicaid populations, CMS said it has released a new supplement to its toolkit to guide states in expanding the use of telehealth.

CMS said it took these actions in response to President Trump’s August 3, 2020 Executive Order directing the agency, among other things, to review the “additional telehealth services offered to Medicare beneficiaries” and to “propose a regulation to extend these measures, as appropriate beyond the duration of the PHE ….”

CMS’s announcement is more good news for Medicare and Medicaid providers and beneficiaries alike regarding the agency’s commitment to the robust use of telehealth.  But Congress holds the key to allowing the telehealth expansion to continue beyond the PHE—it must lift statutory restrictions that ordinarily allow telehealth only in rural areas and not in a patient’s home.  With bipartisan support for telehealth expansion, lawmakers may increase their focus on the issue in 2021 when the new Congress convenes and the PHE hopefully is coming to an end.

DOJ Prioritizes Health Care Fraud in the Pandemic

The Department of Justice (“DOJ”) recently announced its largest ever health care fraud and opioid enforcement action.  In a coordinated effort, DOJ charged 345 defendants with more than $6 billion in fraud losses for submitting false and fraudulent claims to federal health care programs and private insurers.

The nationwide enforcement operation has been in motion since April and is the product of inter-agency cooperation between the Criminal Division, Fraud Section’s Health Care Fraud Unit, the Health Care Fraud and Appalachian Regional Prescription Opioid (ARPO) Strike Force program, local U.S. Attorneys’ Offices, HHS-OIG, FBI, and DEA.  You can read more about the DOJ’s action here on our Anti-Corruption Blog.

CMS Delays Publication of Final Rule Implementing Stark Law Changes to 2021.

As we reported last October, CMS and the OIG issued proposed rules aimed at updating the Stark Law, Anti-Kickback Statute, and Civil Monetary Penalties Law as part of HHS’ Regulatory Sprint to Coordinated Care. In part, the proposed rules seek to address the current value-based and coordinated healthcare environment. While publication of final rules concerning the Stark Law changes was originally expected in August 2020, late last month CMS announced an extension of the final rule publication date to August 31, 2021. The announcement stated that the agency is “still working through the complexity of the issues raised by the comments” as the reason for the extension.

Thus far, the OIG has not released a similar statement concerning publication of its changes to the Anti-Kickback Statute and Civil Monetary Penalties Law. However, given that CMS and OIG issued the proposed rules together, it seems reasonable to conclude that the OIG’s issuance of final rules for its changes will be similarly delayed.

Orthopedic Clinic Settles with HHS OCR for $1.5 Million over Claims of Systemic HIPAA Noncompliance

The US Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced a settlement with Georgia-based Athens Orthopedic Clinic PA (the “Clinic”) to resolve multiple alleged violations of the Privacy and Security Rules under the Health Insurance Portability and Accountability Act (“HIPAA”).\

Under the terms of the settlement, the Clinic agreed to pay $1.5 million to OCR and to adopt a corrective action plan to settle potential violations of the Privacy and Security Rules under HIPAA. The Clinic provides orthopedic services to approximately 138,000 patients annually. Continue Reading

Department of Labor Issues Updated Families First Coronavirus Response Act Regulations, But Does Little To Resolve Employer Uncertainty (US)

The Families First Coronavirus Response Act (FFCRA) was enacted on March 18, 2020. The sweeping federal legislation provides emergency paid sick leave (EPSL) and expanded paid Family and Medical Leave (EFML) to certain covered workers impacted by the COVID-19 pandemic. On April 1, 2020, the U.S. Department of Labor (DOL) issued regulations implementing the FFCRA and answering, at least in part, some questions related to coverage, eligibility, use, and job restoration. You can read our updates to this subject here on our Employment Law Worldview site.

UK End of Transition – Moves to Provide Clarity for Industry

The work of UK health and regulatory authorities has mainly been targeted on COVID-19 work over recent months but there has been an increasing focus on End of Transition work in recent week’s and given that the Brexit transition period ends at 11pm on 31st December 2020 (GMT).  As part of this work, UK MHRA has started to issue multiple separate pieces of guidance for the UK Life Science industry that covers many areas including clinical trials, medical devices, marketing authorisations, pharmacovigilance and manufacture and supply.  These are to apply from the start of 2021 and 31 separate pieces of guidance were issued on 1 September with more to follow soon.

The guidance recognises that Northern Ireland will continue to apply EU rules in respect of medicines and device law and will be subject to the EU acquis under the Northern Ireland Protocol.  Great Britain will be subject to UK law and guidance seeks to explain how this will fit together in terms of ability to market and supply and comply with a jigsaw of obligations going forward.

One emerging major question that arises in relation to the new guidance is how this might fit with powers that could be exercised under the new United Kingdom Internal Markets Bill, if enacted and published this week.  The Bill contains powers that could seek to override differences in regulatory requirements across the UK from 2021.  Finally, it is also noted that the ongoing aim of a UK-EU FTA and guidance that may emerge from committees tasked with applying the Northern Ireland Protocol could also impact on how the UK Life Science industry should operate after the end of this year.

There are clearly many moving parts still and scope for significant shifts in the regulatory landscape in coming weeks.

HHS Eases Federal Substance Use Disorder Confidentiality Rules

Last month the Substance Abuse and Mental Health Services Administration (“SAMHSA”) finalized amendments to the federal Confidentiality of Substance Use Disorder Patient Records regulation, 42 C.F.R. Part 2 (“Part 2”). The changes purport to better facilitate substance use disorder (“SUD”) care coordination and treatment by loosening technical consent requirements, clarifying permissible disclosures, and providing other guidance. Notably, these changes do not address changes required under the COVID-19-related CARES Act, which will require aligning Part 2’s consent requirements more closely to HIPAA. More information about these changes are summarized below:

  • Modification of Authorization Requirements: Part 2 previously required naming specific individuals to receive SUD records in authorization forms (except in very limited circumstances). This functioned as a major barrier to effective data sharing because patients often did not know a specific person’s name at a recipient organization. The modified authorization rules now more closely align with HIPAA by permitting organizations (instead of specific persons) to be named in authorization forms.
  • Permissible Disclosures for Payment and Health Care Operations Permitted with Written Consent: Part 2 previously left some ambiguity about the types of purposes for which SUD information could be disclosed with patient consent. The modifications now permit disclosures with consent that align to the HIPAA definitions of “Payment” and “Health Care Operations” and include “care coordination and case management.”
  • Disclosures for Research: The modifications also align the Part 2 “research” disclosure rules much more closely with HIPAA and the federal “Common Rule” regarding human subject research.
  • Permissible Disclosures for Audit and Program Evaluation: The regulation also clarifies specific situations that fall within the scope of permissible disclosures for audits and/or program evaluation purposes. Federal, state and local governmental agencies and third-party payers may conduct audits and evaluations to identify needed actions at the agency or payer level to improve care. Additionally, audits and evaluations may include reviews of appropriateness of medical care, medical necessity, and utilization of services.
  • Regulation Scope and Re-Disclosure: Treatment records created by non-Part 2 providers based on their own patient encounter(s) are explicitly not covered by Part 2, unless the provider incorporates SUD records received from a Program into the provider’s records. Otherwise, providers (and the EHRs they use) can avoid Part 2 applicability by segmenting data obtained from Part 2 records from the rest of the provider’s records.

Critical features of Part 2 remain unchanged, however, including:

  • Most data uses and disclosures still require patient authorization. However, Part 2 changes are coming up under the CARES Act that will make it substantially easier for entities subject to HIPAA to share information after obtaining an initial authorization.
  • Part 2 continues to prohibit law enforcement’s use of SUD patient records in criminal prosecutions against patients in the absence of a court order.

This development will have wide-ranging implications for Part 2 programs, which will benefit from the additional flexibility. The area of healthcare data privacy is constantly evolving and it can be difficult to navigate changes in the law. Please contact the authors of this post or your regular SPB contact if you have any questions.