Tag: HHS

New Fact Sheet Highlights ASTP’s Concerns About Certified API Practices

On October 29, 2024, the US Department of Health and Human Services (HHS) Assistant Secretary for Technology Policy (ASTP) released a fact sheet titled “Information Blocking Reminders Related to API Technology.” The fact sheet reminds developers of application programming interfaces (APIs) certified under the ASTP’s Health Information Technology (IT) Certification Program and their health care provider customers of practices that constitute information blocking under ASTP’s information blocking regulations and information blocking condition of certification applicable to certified health IT developers.

In Depth

The fact sheet is noteworthy because it follows ASTP’s recent blog post expressing concern about reports that certified API developers are potentially violating Certification Program requirements and engaging in information blocking. ASTP also recently strengthened its feedback channels by adding a section specifically for API-linked complaints and inquiries to the Health IT Feedback and Inquiry Portal. It appears increasingly likely that initial investigations and enforcement of the information blocking prohibition by the HHS Office of Inspector General will focus on practices that may interfere with access, exchange, or use of electronic health information (EHI) through certified API technology.

The fact sheet focuses on three categories of API-related practices that could be information blocking under ASTP’s information blocking regulations and Certification Program condition of certification:

  • ASTP cautions against practices that limit or restrict the interoperability of health IT. For example, the fact sheet states that health care providers who locally manage their fast healthcare interoperability resources (FHIR) servers without certified API developer assistance may engage in information blocking when they refuse to provide to certified API developers the FHIR service base URL necessary for patients to access their EHI.
  • ASTP states that impeding innovations and advancements in access, exchange, or use of EHI or health-IT-enabled care delivery may be information blocking. For example, the fact sheet indicates that a certified API developer may engage in information blocking by refusing to register and enable an application for production use within five business days of completing its verification of an API user’s authenticity as required by ASTP’s API maintenance of certification requirements.
  • ASTP states that burdensome or discouraging terms, delays, or influence over customers and users may be information blocking. For example, ASTP states that a certified electronic health record (EHR) developer may engage in information blocking by conditioning the disclosure of interoperability elements to third-party developers on the third-party developer entering into business associate agreements with all of the EHR developer’s covered entity customers, even if the work being done is not for the benefit of the customers and HIPAA does not require the business associate agreements.

The fact sheet does not address circumstances under which any of the above practices of certified API developers may meet an information blocking exception (established for reasonable practices that interfere with access, exchange, or use of EHI). Regulated actors should consider whether exceptions apply to individual circumstances.

© 2024 McDermott Will & Emery
For more on API Practices, visit the NLR Health Law Managed Care section

HIPAA Gets a Potential Counterpart in HISAA

Americans hear about cybersecurity incidents on a frequent basis. As the adage goes, it is not a matter of “if” a breach or security hack occurs; it is a matter of “when.” At no time was that more evident earlier this year when the healthcare industry was hit with the widespread ransomware attack on Change Healthcare, a subsidiary of the United Health Group. Because of the nature of the Change Healthcare shutdown and its impact across the industry, the U.S. Department of Health & Human Services (HHS) and its HIPAA enforcement arm, the Office for Civil Rights (OCR), conducted investigations and issued FAQ responses for those impacted by the cybersecurity event.

In further response, Senators Ron Wyden (D-OR) and Mark Warner (R-VA) introduced the Health Infrastructure Security and Accountability Act (HISAA) on September 26, 2024. Like HIPAA and HITECH before it, which established minimum levels of protection for healthcare information, HISAA looks to reshape how healthcare organizations address cybersecurity by enacting mandatory minimum security standards to protect healthcare information and by providing initial financial support to facilitate compliance. A copy of the legislative text can be found here, and a one-page summary of the bill can be found here.

To date, HIPAA and HITECH require covered entities and business associates to develop, implement, and maintain reasonable and appropriate “administrative, technical, physical” safeguards to protect electronic Protected Health Information or e-PHI. However, the safeguards do not specify minimum requirements; instead, they prescribe standards intended to be scalable, depending on the specific needs, resources, and capabilities of the respective organization. What this means is that e-PHI stored or exchanged among interconnected networks are subject to systems with often different levels of sophistication or protection.

Given the considerable time, effort, and resources dedicated to HIPAA/HITECH compliance, many consider the current state of voluntary safeguards as inadequate. This is especially the case since regulations under the HIPAA Security Rule have not been updated since 2013. As a result, Senators Wyden and Warner introduced HISAA in an effort to bring the patchwork of healthcare data security standards under one minimum umbrella and to require healthcare organizations to remain on top of software systems and cybersecurity standards.

Key pieces of HISAA, as proposed, include:

  1. Mandatory Cybersecurity Standards—If enacted, the Secretary of HHS, together with the Director of the Cybersecurity and Infrastructure Security Agency (CISA) and the Director of National Intelligence (DNI), will oversee the development and implementation of required standards and the standards will be subject to review and update every two years to counter evolving threats.
  2. Annual Audits and Stress Tests—Like current Security Risk Assessment (SRA) requirements, HISAA will require healthcare organizations to conduct annual cybersecurity audits and document the results. Unlike current requirements, these audits will need to be conducted by independent organizations to assess compliance, evaluate restoration abilities, and conduct stress tests in real-world simulations. While smaller organizations may be eligible for waivers from certain requirements because of undue burden, all healthcare organizations will have to publicly disclose compliance status as determined by these audits.
  3. Increased Accountability and Penalties—HISAA would implement significant penalties for non-compliance and would require healthcare executives to certify compliance on an annual basis. False information in such certifications could result in criminal charges, including fines of up to $1 million and prison time for up to 10 years. HISAA would also eliminate fine caps to allow HHS to impose penalties commiserate with the level needed to deter lax behaviors, especially among larger healthcare organizations.
  4. Financial Support for Enhancements—Because the costs for new standards could be substantial, especially for smaller organizations, HISAA would allocate $1.3 billion to support hospitals for infrastructure enhancements. Of this $1.3 billion, $800 million would be for rural and safety net hospitals over the first two years, and an additional $500 million would be available for all hospitals in succeeding years.
  5. Medicare Payment Adjustments—Finally, HISAA enables the Secretary of HHS to provide accelerated Medicare payments to organizations impacted by cybersecurity events. HHS offered similar accelerated payments during the Change Healthcare event, and HISAA would codify similar authority to HHS for recovery periods related to future cyberattacks.

While HISAA will establish a baseline of cybersecurity requirements, compliance with those requirements will require a significant investment of time and resources in devices and operating systems/software, training, and personnel. Even with the proposed funding, this could result in substantial challenges for smaller and rural facilities to comply. Moreover, healthcare providers will need to prioritize items such as encryption, multi-factor authentication, real-time monitoring, comprehensive response and remediation plans, and robust training and exercises to support compliance efforts.

Finally, at this juncture, the more important issue is for healthcare organizations to recognize their responsibilities in maintaining effective cybersecurity practices and to stay updated on any potential changes to these requirements. Since HISAA was introduced in the latter days of a hectic (and historic) election season, we will monitor its progress as the current Congress winds down in 2024 and the new Congress readies for action with a new administration in 2025.

© 2024 Winstead PC.
For more on HIPAA, visit the NLR Health Law Managed Care section

No More Fraud Vampires: Whistleblowers Put a Stake in Phlebotomy Unlawful Kickback Scheme

31 October 2024. Two whistleblowers “stopped the bleeding” caused by an alleged kickback scheme perpetrated by a mobile phlebotomy service based in California. Veni-Express, Inc. and its owners have agreed to pay $135,000 to settle allegations of violating the Anti-Kickback Statute and False Claims Act. While the award for the two whistleblowers has not yet been determined, False Claims Act qui tam whistleblowers may be rewarded between 15-25% of the settlement.

Overview of the Case

According to the allegations, from 2015 to 2019, Veni-Express allegedly submitted false claims to federal health care programs for services that were not actually performed. These services included venipuncture procedures during homebound patient visits and non-reimbursable travel mileage claims for the visits. The fraudulent activities were reportedly conducted with the oversight of the company’s owners, Myrna and Sonny Steinbaum.

Additionally, between July 2014 and June 2015, Veni-Express allegedly paid unlawful kickbacks to Altera Laboratories, also known as Med2U Healthcare LLC, to market their services. These kickbacks were disguised as a percentage of company revenue.

Unlawful Kickbacks and Phantom Billing

The Anti-Kickback Statute (AKS) is a federal law that prohibits healthcare providers from offering, soliciting, or receiving anything of value to induce or reward referrals for services covered by federally funded healthcare programs, such as Medicare and Medicaid. When providers violate the AKS, they compromise patient care by prioritizing financial gain over medical necessity, which can lead to unnecessary, costly, or substandard treatments. Phantom billing, which involves charging Medicare and Medicaid for services never provided, drains funds that could otherwise be used for essential care for beneficiaries. It leads to increased healthcare costs, putting a strain on federally funded healthcare programs and potentially causing cuts or restrictions in services. This fraudulent practice also erodes trust in the healthcare system, which can prevent beneficiaries from seeking the care they need. As the Special Agent in Charge for the Department of Health and Human Services Office of the Inspector General said about the case, “Improper incentives and billing Medicare for services never actually provided divert taxpayer funding meant to pay for medically necessary services for Medicare enrollees.”

Settlement Details

The settlement agreement is based upon the parties’ ability to pay, requiring Veni-Express to pay $100,000, with additional payments contingent upon the sale of company property. Myrna Steinbaum will pay $25,000, while Sonny Steinbaum will contribute $10,000.

Whistleblower Involvement

The whistleblowers in the qui tam actions were a former phlebotomist and a laboratory technical director. The qui tam provision in the False Claims Act allows private citizens with knowledge of fraud to report fraud schemes to the government and share in the government’s recovery.

Implications for Healthcare Professionals

This whistleblower settlement serves as a cautionary tale for healthcare professionals, emphasizing the need for strict adherence to regulatory standards. It underscores the power industry insiders have to speak up and put an end to fraud schemes that taint the healthcare profession.

© 2024 by Tycko & Zavareei LLP
For more on Whistleblowers, visit the NLR Criminal Law Business Crimes section.

Mental Health Parity and Addiction Equity Act Final Rules (“Final Rules”) Are Released: Plans and Issuers Must Prepare for January 1, 2025 Effective Date (US)

The long-awaited Final Rules amending the Mental Health Parity and Addiction Equity Act (“MHPAEA”) were released on September 9, 2024, with the bulk of the requirements going into effect on January 1, 2025. As we previously reported here, in August 2023, the Departments of Labor, Health and Human Services (“HHS”) and Treasury (together, the “Departments”) published proposed rules further regulating insurance coverage for treatment for mental health and substance use disorders. Although the Final Rules appear less burdensome than the proposed rules, they do impose significant changes to the obligations of group health plans and health insurance issuers with a short time to achieve compliance. The key provisions are summarized below.

Key Changes in the Final Rules

The Final Rules’ stated intent is to “strengthen consumer protections consistent with MHPAEA’s fundamental purpose,” which includes reducing burdens on access to benefits for individuals in group health plans or with group or individual health insurance coverage seeking treatment for mental health and substance use disorders (“MH/SUD”) as compared to accessing benefits for the treatment of medical/surgical (“M/S”) conditions.

The Final Rules purport to achieve that goal through four key changes to the MHPAEA:

  • Mandating content requirements for performing a comparative analysis of the design and application of each non-quantitative treatment limitation (“NQTL”) applicable to MH/SUD benefits.
  • Setting forth design and application requirements and relevant data evaluation requirements to ensure compliance with NQTL rules.
  • Increasing scrutiny of network adequacy for MH/SUD benefits.
  • Introducing core treatment coverage requirements to the meaningful benefit standard.

Comparative Analysis Content Requirements

Since 2021, insurance plans and issuers offering plans that cover both M/S and MH/SUD benefits and impose NQTLs on MH/SUD benefits must have a written comparative analysis demonstrating that the factors used to apply an NQTL to MH/SUD benefits are comparable to and applied no more stringently than those used to apply that same NQTL to M/S benefits, as set forth in the 2021 Consolidated Appropriations Act (“CAA”). The Final Rules expand upon the NQTL analysis required by the CAA and include six specific content elements:

  1. a description of the NQTL;
  2. identification and definition of the factors and evidentiary standards used to design or apply the NQTL;
  3. a description of how factors are used in the design or application of the NQTL;
  4. a demonstration of comparability and stringency, as written;
  5. a demonstration of comparability and stringency, in operation, including the required data, evaluation of that data, explanation of any material differences in access, and description of reasonable actions taken to address such differences; and
  6. findings and conclusions.

Upon request, plans and issuers must provide written comparative analyses to U.S. regulators, plan beneficiaries, participants, or enrollees who have received an adverse benefit determination related to MH/SUD benefits, and participants and beneficiaries in plans governed by ERISA at any time. Plans and issuers only have 10 business days to respond to a request from the relevant Secretary to review its comparative analyses and, if an initial determination of noncompliance is made, the plan or issuer only has 45 calendar days to respond with specific actions it will take to bring the plan into compliance and provide additional comparative analyses that demonstrate compliance. Upon a final determination of noncompliance, notice must be given to all participants, beneficiaries, and enrollees within seven business days after the relevant Secretary’s determination.

Demonstrating Compliance with NQTL Rules

The Final Rules also require that a NQTL applicable to MH/SUD benefits in a classification is no more restrictive than the predominant NQTL applied to M/S benefits in the same classification. In order to ensure compliance with NQTL rules, plans and issuers must satisfy two sets of requirements: (1) the design and application requirements, and (2) the relevant data evaluation requirements. For example, under the design and application requirements, a plan cannot reimburse non-physician providers of MH/SUD services by reducing the rates for physician providers of MH/SUD services unless it applies the same reduction to non-physician providers of M/S services from the rate for physician providers of such services. Under the relevant data evaluation requirements, to compare the impact of NQTLs related to network composition on access to MH/SUD versus M/S benefits, a plan should evaluate metrics relating to the time and distance from plan participants and beneficiaries to network providers, the number of network providers accepting new patients, provider reimbursement rates, and in-network and out-of-network utilization rates.

Design and Application

Plans and issuers must examine the factors used to design and apply an NQTL to MH/SUD benefits to ensure such factors are comparable to those used with respect to M/S benefits in the same classification. The Final Rules also prohibit using information that discriminates against MH/SUD benefits as compared to M/S benefits, meaning information that systematically disfavors or was specifically designed to disfavor access to MH/SUD benefits. Appropriate information and other factors to use in designing and applying an NQTL to MH/SUD benefits include generally recognized independent professional medical or clinical standards.

Relevant Data Evaluation

The relevant data evaluation requirement means plans and issuers must collect and evaluate data to ensure, in operation, that an NQTL applicable to MH/SUD benefits is not more restrictive than the NQTL applied to M/S benefits in the same classification. The Final Rules anticipate that the relevant data for any given NQTL will depend on the facts and circumstances and provide flexibility for plans to determine what should be collected and evaluated. Examples of relevant data provided in the Final Rules include the number and percentage of claim denials, utilization rates, and network adequacy rates.

Network Adequacy

The Final Rules demonstrate the Departments’ increased scrutiny of network adequacy issues for MH/SUD benefits. For NQTLs related to network composition standards, a plan or issuer must collect data to assess the NQTLs’ aggregate impact on access to MH/SUD benefits and M/S benefits. By way of example, suppose the evaluated data suggests that an NQTL contributes to a material difference in access to MH/SUD benefits compared to M/S benefits. In that case, plans and issuers must act to address any material differences in access. The Final Rules provide examples of reasonable compliance actions, including increased recruiting efforts for MH/SUD providers, expanding telehealth options under the plan, and ensuring that provider directories are accurate and reliable. A plan must document the actions that it takes to address differences in access to in-network MH/SUD providers as compared to in-network M/S providers.

Meaningful Benefit Standard

The Final Rules require plans to provide “meaningful” benefits for MH/SUD disorders in every classification in which the plan provides M/S benefits. Benefits are “meaningful,” for MHPAEA purposes, when they cover core treatments for that condition, meaning a standard treatment or course of treatment, therapy, service, or intervention indicated by generally recognized independent standards of current medical practice.

The Final Rules provide examples to demonstrate the application of the meaningful benefits standard. In one example, a plan covers the full range of outpatient treatments (including core treatments) and treatment settings for M/S benefits when provided on an out-of-network basis. The same plan covers outpatient, out-of-network developmental screenings for a mental health condition but excludes all other benefits, such as therapeutic intervention, for outpatient treatment when provided on an out-of-network basis. The Departments view therapeutic intervention, however, as a core treatment for the mental health condition under generally recognized independent standards of current medical practice. Per the Final Rules, the Departments interpret such exclusion as a violation because the plan does not cover a core treatment for the mental health disorder in the outpatient, out-of-network classification. Since the plan’s coverage for M/S benefits includes a core treatment in the classification, the Final Rules opine that the plan fails to provide meaningful benefits for treatment of the mental health disorder.

Effective Dates

The new requirements of the Final Rules will go into effect on different dates. Plans and issuers have until January 1, 2026, to comply with the meaningful benefits standard, the prohibition on discriminatory factors and evidentiary standards, the relevant data evaluation requirements, and the related requirements in the provisions for comparative analyses. During this time, plans and issuers should assess whether their mental health provider networks are adequate, and also consider expanding the scope of MH/SUD benefits across classifications to meet new parity requirements.

The other requirements, including most of the new requirements affecting comparative analyses, go into effect on January 1, 2025. Accordingly, plans and issuers should the time remaining this year to develop a plan to prepare NQTL comparative analyses within the three-month compliance period, and have processes in place to quickly address any material changes to benefit design in the future.

© Copyright 2024 Squire Patton Boggs (US) LLP
For more on MHPAEA, visit the NLR Health Law Managed Care section.

Application of New Mental Health Parity Rules to Provider Network Composition and Reimbursement: Perspective and Analysis

On September 23, 2024, the U.S. Departments of Labor, the Treasury, and Health and Human Services (collectively, the “Departments”) released final rules (the “Final Rules”) that implement requirements under the Mental Health Parity and Addiction Equity Act (MHPAEA).

The primary focus of the Final Rules is to implement new statutory requirements under the Consolidated Appropriations Act of 2021, which amended MHPAEA to require health plans and issuers to develop comparative analyses to determine whether nonquantitative treatment limitations (NQTLs)—which are non-financial restrictions on health care benefits that can limit the length or scope of treatment—for mental health and substance use disorder (MH/SUD) benefits are comparable to and applied no more stringently than NQTLs for medical/surgical (M/S) benefits.

Last month, Epstein Becker Green published an Insight entitled “Mental Health Parity: Federal Departments of Labor, Treasury, and Health Release Landmark Regulations,” which provides an overview of the Final Rules. This Insight takes a closer look at the application of the Final Rules to NQTLs related to provider network composition and reimbursement rates.

Provider Network Composition and Reimbursement NQTL Types

A key focus of the Final Rules is to ensure that NQTLs related to provider network composition and reimbursement rates do not impose greater restrictions on access to MH/SUD benefits than they do for M/S benefits.

In the Final Rules, the Departments decline to specify which strategies and functions they expect to be analyzed as separate NQTL types, instead requiring health plans and issuers to identify, define, and analyze the NQTL types that they apply to MH/SUD benefits. However, the Final Rules set out that the general category of “provider network composition” NQTL types includes, but is not limited to, “standards for provider and facility admission to participate in a network or for continued network participation, including methods for determining reimbursement rates, credentialing standards, and procedures for ensuring the network includes an adequate number of each category of provider and facility to provide services under the plan or coverage.”[1]

For NQTLs related to out-of-network rates, the Departments note that NQTLs would include “[p]lan or issuer methods for determining out-of-network rates, such as allowed amounts; usual, customary, and reasonable charges; or application of other external benchmarks for out-of-network rates.”[2]

Requirements for Comparative Analyses and Outcomes Data Evaluation

For each NQTL type, plans must perform and document a six-step comparative analysis that must be provided to federal and state regulators, members, and authorized representatives upon request. The Final Rules divide the NQTL test into two parts: (1) the “design and application” requirement and (2) the “relevant data evaluation” requirement.

The “design and application” requirement, which builds directly on existing guidance, requires the “processes, strategies, evidentiary standards, or other factors” used in designing and applying an NQTL to MH/SUD benefits to be comparable to, and applied no more stringently than, those used for M/S benefits. Although these aspects of the comparative analysis should be generally familiar, the Final Rules and accompanying preamble provide extensive new guidance about how to interpret and implement these requirements.

The Final Rules also set out a second prong to the analysis: the requirement to collect and evaluate “relevant data” for each NQTL. If such analysis shows a “material difference” in access, then the Final Rules also require the plan to take “reasonable” action to remedy the disparity.

The Final Rules provide that relevant data measures for network composition NQTLs may include, but are not limited to:

  • in-network and out-of-network utilization rates, including data related to provider claim submissions;
  • network adequacy metrics, including time and distance data, data on providers accepting new patients, and the proportions of available MH/SUD and M/S providers that participate in the plan’s network; and
  • provider reimbursement rates for comparable services and as benchmarked to a reference standard, such as Medicare fee schedules.

Although the Final Rules do not describe relevant data for out-of-network rates, these data measures may parallel measures to evaluate in-network rates, including measures that benchmark MH/SUD and M/S rates against a common standard, such as Medicare fee schedule rates.

Under the current guidance, plans have broad flexibility to determine what measures must be used, though the plan must ensure that the metrics that are selected reasonably measure the actual stringency of design and application of the NQTL with regard to the impact on member access to MH/SUD and M/S benefits. However, additional guidance is expected to further clarify the data evaluation requirements that may require the use of specific measures, likely in the form of additional frequently asked questions as well as updates to the Self-Compliance Tool published by the Departments to help plans and issuers assess whether their NQTLs satisfy parity requirements.

The Final Rules require plans to look at relevant data for network composition NQTLs in the aggregate—meaning that the same relevant data must be used for all NQTL types (however defined). As such, the in-operation data component of the comparative analysis for network composition NQTLs will be aggregated.

If the relevant data indicates a “material difference,” the threshold for which the plan must establish and define reasonably, the plan must take “reasonable actions” to address the difference in access and document those actions.

Examples of a “reasonable action” that plans can take to comply with network composition requirements “include, but are not limited to:

  1. Strengthening efforts to recruit and encourage a broad range of available mental health and substance use disorder providers and facilities to join the plan’s or issuer’s network of providers, including taking actions to increase compensation or other inducements, streamline credentialing processes, or contact providers reimbursed for items and services provided on an out-of-network basis to offer participation in the network;
  2. Expanding the availability of telehealth arrangements to mitigate any overall mental health and substance use disorder provider shortages in a geographic area;
  3. Providing additional outreach and assistance to participants and beneficiaries enrolled in the plan or coverage to assist them in finding available in-network mental health and substance use disorder providers and facilities; and
  4. Ensuring that provider directories are accurate and reliable.”

These examples of potential corrective actions and related discussion in the Final Rules provide an ambitious vision for a robust suite of strategies that the Departments believe that plans should undertake to address material disparities in access as defined in the relevant data. However, the Final Rules put the onus on the plan to design the strategy that it will use to define “material differences” and remedy any identified disparity in access. Future guidance and enforcement may provide examples of how this qualitative assessment will play out in practice and establish both what the Departments will expect with regard to the definition of “material differences” and what remedial actions they consider to be sufficient. In the interim, it is highly uncertain what the practical impact of these new requirements will be.

Examples of Network Analyses Included in the Final Rules

The Final Rules include several examples to clarify the application of the new requirements to provider network composition NQTLs. Unfortunately, the value of these examples for understanding how the Final Rules will impact MH/SUD provider networks in practice may be limited. As a result, given the lack of detail regarding the complexity of analyzing these requirements for actual provider networks, as well as the fact that the examples fail to engage in any meaningful discussion of where to identify the threshold for compliance with these requirements, it remains to be seen how regulators will interpret and enforce these requirements in practice.

  • Example 1 demonstrates that it would violate the NQTL requirements to apply a percentage discount to physician fee schedule rates for non-physician MH/SUD providers if the same reduction is not applied for non-physician M/S providers. Our takeaways from this example include the following:
    • This example is comparable to the facts that were alleged by the U.S. Department of Labor in Walsh v. United Behavioral Health, E.D.N.Y., No. 1:21-cv-04519 (8/11/21).
    • Example 1 is useful to the extent that it clarifies that a reimbursement strategy that specifically reduces MH/SUD provider rates in ways that do not apply to M/S provider rates would violate MHPAEA. However, such cut-and-dried examples may be rare in practice, and a full review of the strategies for developing provider reimbursement rates is necessary.
  • Example 4 demonstrates that plans may not simply rely on periodic historic fee schedules as the sole basis for their current fee schedules. Here are some key takeaways from this example:
    • Even though this methodology may be neutral and non-discriminatory on its face, given that the historic fee schedules are not themselves a non-biased source of evidence, to meet the new requirements for evidentiary standards and sources, the plan would have to demonstrate that these historic fee schedules were based on sources that were objective and not biased against MH/SUD providers.
    • If the plan cannot demonstrate that the evidentiary standard used to develop its fee schedule does not systematically disfavor access to MH/SUD benefits, it can still pass the NQTL test if it takes steps to cure the discriminatory factor.
    • Example 4 loosely describes a scenario where a plan supplements a historic fee schedule that is found to discriminate against MH/SUD access by accounting for the current demand for MH/SUD services and attracting “sufficient” MH/SUD providers to the network. Unfortunately, however, the facts provided do not clarify what steps were taken to achieve this enhanced access or how the plan or regulator determined that access had become “sufficient” following the implementation of the corrective actions.
  • Example 10 provides that if a plan’s data measures indicate a “material difference” in access to MH/SUD benefits relative to M/S benefits that are attributable to these NQTLs, the plan can still achieve compliance by taking corrective actions. Our takeaways from this example include the following:
    • The facts in this example stipulate that the plan evaluates all of the measure types that are identified above as examples. Example 10 also states that a “material difference” exists but does not identify the measure or measures for which a difference exists or what facts lead to the conclusion that the difference was “material.” To remedy the material difference, this example states that the plan undertakes all of the corrective actions to strengthen its MH/SUD provider network that are identified above as examples and, therefore, achieves compliance. However, this example fails to clarify how potentially inconsistent outcomes across the robust suite of identified measures were balanced to determine that the “material difference” standard was ultimately met. Example 10 also does not provide any details about what specific corrective actions the plan takes or what changes result from these actions.

Epstein Becker Green’s Perspective

The new requirements of the Final Rules will significantly increase the focus of the comparative analyses on the outcomes of the provider network NQTLs. For many years, the focus of the comparative analyses was primarily on determining whether any definable aspect of the plan’s provider contracting and reimbursement rate-setting strategies could be demonstrated to discriminate against MH/SUD providers. The Final Rules retain those requirements but now put greater emphasis on the results of network composition activities with regard to member access and require plans to pursue corrective actions to remediate any material disparities in that data. This focus on a robust “disparate impact” form of anti-discrimination analysis may lead to a meaningful increase in reimbursement for MH/SUD providers or other actions to more aggressively recruit them to participate in commercial health plan networks.

However, at present, it remains unclear which measures the Departments will ultimately require for reporting. Concurrent with the release of their Notice of Proposed Rulemaking on July 23, 2023, the Departments published Technical Release 2023-01P to solicit comments on key approaches to evaluating comparability and stringency for provider network access and reimbursement rates (including some that are referenced as examples in the Final Rules). Comments to the Technical Release highlighted significant concerns with nearly all of the proposed measures. For example, proposals to require analysis of MH/SUD and M/S provider reimbursement rates for commercial markets that are benchmarked to Medicare fee schedules in a simplistic way may fail to account for differences in population health and utilization, value-based reimbursement strategies, and a range of other factors with significant implications for financial and clinical models for both M/S and MH/SUD providers. Requirements to analyze the numbers or proportions of MH/SUD and M/S providers that are accepting new patients may be onerous for providers to report on and for plans to collect and may obscure significant nuances with regard to wait times, the urgency of the service, and the match between the provider’s training and service offerings to the patient’s need. Time and mileage standards highlighted by the Departments not only often fail to capture important access challenges experienced by patients who need MH/SUD care from sub-specialty providers or facilities but also fail to account for evolving service delivery models that may include options such as mobile units, school-based services, home visits, and telehealth. Among the measures identified in the Technical Release, minor differences in measure definitions and specifications can have significant impacts on the data outcomes, and few (if any) of the proposed measures have undergone any form of testing for reliability and validity.

Also, it is still not clear where the Departments will draw the lines for making final determinations of noncompliance with the Final Rules. For example, where a range of different data measures is evaluated, how will the Departments resolve data outcomes that are noisy, conflicting, or inconclusive? Similarly, where regulators do conclude that the data that are provided suggest a disparity in access, the Final Rules identify a highly robust set of potential corrective actions. However, it remains to be seen what scope of actions the Departments will determine to be “good enough” in practice.

Finally, we are interested in seeing what role private litigation will play in driving health plan compliance efforts and practical impacts for providers. To date, plaintiffs have found it challenging to pursue litigation on the basis of claims under MHPAEA, due in part to the highly complex arguments that must be made to evaluate MHPAEA compliance and in part to the challenge for plaintiffs to have adequate insight into plan policies, operations, and data across MH/SUD and M/S benefits to adequately assert a complaint under MHPAEA. Very few class action lawsuits or large settlements have occurred to date. These challenges for potential litigants may continue to limit the volume of litigation. However, to the extent that the additional guidance in the Final Rules does give rise to an uptick in successful litigation, it is possible that the courts may end up having a greater impact on health plan compliance strategies than regulators.

ENDNOTES

[1] 26 CFR 54.9812- 1(c)(4)(ii)(D), 29 CFR 2590.712(c)(4)(ii)(D), and 45 CFR 146.136(c)(4)(ii)(D).

[2] 26 CFR 54.9812- 1(c)(4)(ii)(E), 29 CFR 2590.712(c)(4)(ii)(E), and 45 CFR 146.136(c)(4)(ii)(E).

©2024 Epstein Becker & Green, P.C. All rights reserved.
For more on Mental Health, visit the NLR Health Law Managed Care section

BIOSECURE Act: Anticipated Movement, Key Provisions, and Likely Impact

Last night, the House of Representatives passed the BIOSECURE Act (BIOSECURE or the Act) by a bipartisan vote of 306 to 81.

The BIOSECURE Act prohibits federal agencies from procuring or obtaining any biotechnology equipment or service produced or provided by a biotechnology company of concern. Subject to some exceptions, it also prohibits federal agencies from contracting with a company that uses equipment or services produced or provided by a biotechnology company of concern. Further, the Act prohibits recipients of a loan or grant from a federal agency from using federal funds to purchase equipment or services from a biotechnology company of concern.

The Senate version of BIOSECURE, sponsored by Sens. Gary Peters (D-MI) and Bill Hagerty (R-TN), was voted out of the Senate Committee on Homeland Security and Governmental affairs with bipartisan support in March 2024. Given its passage in the House last night, the BIOSECURE Act is likely to be signed into law by the end of the year. The House version of BIOSECURE is likely to be the version that becomes law. President Biden is unlikely to veto the Act given its bipartisan support, his previous executive actions to support domestic biotechnology development, and his Administration’s approach towards competition with China.

The Act defines “biotechnology company of concern” as any entity that:

  • is subject to the jurisdiction, direction, control, or operates on behalf of the government of a foreign adversary (defined as China, Cuba, Iran, North Korea, and Russia);
  • is involved in the manufacturing, distribution, provision, or procurement of a biotechnology equipment or service; and
  • poses a risk to U.S. national security based on:
    • engaging in joint research with, being supported by, or being affiliated with a foreign adversary’s military, internal security forces, or intelligence agencies;
    • providing multiomic data obtained via biotechnology equipment or services to the government of a foreign adversary; or
    • obtaining human multiomic data via the biotechnology equipment or services without express and informed consent.

Somewhat unusually, the Act names specific Chinese companies as automatically qualifying as “biotechnology companies of concern”:

  • BGI (formerly known as the Beijing Genomics Institute);
  • MGI;
  • Complete Genomics;
  • WuXi AppTec; and
  • WuXi Biologics.

Both categories include any subsidiary, parent, affiliate, or successor entities of biotechnology companies of concern.

The Act also has very broad definitions of “biotechnology equipment or service.” The definition of equipment encompasses any machine, device, or subcomponent, including software that is “designed for use in the research, development, production, or analysis of biological materials.” The definition of services is similarly broad.

The BIOSECURE Act also requires the Office of Management and Budget (OMB) to publish a list of additional biotechnology companies of concern. The list is prepared by the Secretary of Defense in coordination with the Secretaries of the Departments of Health and Human Services, Justice, Commerce, Homeland Security, and State, as well as the Director of National Intelligence and National Cyber Director. This list of companies must be published by OMB within one year of BIOSECURE’s enactment and reviewed annually by OMB in consultation with the other Departments.

Guidance and Regulatory Authorities

OMB is also tasked with developing guidance and has 120 days from enactment of the statute to do so for the named companies. For the list of biotechnology companies of concern, OMB’s guidance must be established within 180 days after the development of the list.

Beyond OMB, the Act requires the Federal Acquisition Regulatory Council to revise the Federal Acquisition Regulation (FAR) to incorporate its prohibitions. The FAR regulations must be issued within one year of when OMB establishes its guidance.

For named companies the Act’s prohibitions are effective 60 days after the issuance of the FAR regulations. For companies placed on the biotechnology company of concern list, the effective date for the Act’s prohibitions is 80 days after the issuance of FAR regulations.

Impact on Existing Business Relationships

In response to stakeholder concerns about disrupting existing commercial relationships and triggering delays in drug development, the House version of the BIOSECURE Act provides a five-year unwinding period for contracts and agreements entered into before the Act’s effective dates. Contracts entered into after the Act’s effective dates do not qualify for the five year unwinding period.

Process for Designating Companies

BIOSECURE specifies the process for designating a biotechnology company of concern. Critically, the Act does not require OMB to notify a company prior to the Department of Defense making the designation. Rather, a company will receive notice that it is being designated and placed on the biotechnology company of concern list. Moreover, the criteria for listing will only be provided “to the extent consistent with national security and law enforcement interests.” Thus, companies may face a circumstance where they are not provided the evidence supporting their designation.

Once a company receives the notice, it will have 90 days to submit information and arguments opposing the listing. The Act does not require a hearing or any formal administrative process. If practicable, the notice may also include steps the company could take to avoid being listed, but it is not required.

Safe Harbor, Waivers and Exceptions

The Act only has one safe harbor for biotechnology equipment or services that were formerly but no longer provided or produced by a biotechnology company of concern. This safe harbor seems intended to allow a biotechnology company of concern to sell their ownership of a product or service to another company without prohibitions applying to the new owner.

Agency heads may waive the Act’s prohibitions on a case-by-case basis, but only with the approval of OMB acting “in coordination with the Secretary of Defense.” Waivers must be reported to Congress within 30 days of being granted. The waiver may last for up to a year with an additional “one time” extension of 180 days allowed if an agency head determines it is “in the national security interests of the United States.” The 180-day extension must be approved by OMB and the agency head must notify and submit a justification to Congress within 10 days of the waiver being granted.

The Act has only two exceptions. First, its prohibitions do not apply to intelligence activities. Second, the prohibitions do not apply to health care services provided to federal employees, members of the armed services, and government contractors who are stationed in a foreign country or on official foreign travel.

Impact and Considerations for Clients

1. Increased Risk of Partnerships with Chinese Companies and Researchers:

Pharmaceutical and biotechnology companies that receive federal funding or contract with federal agencies should be prepared to wind down business ties to biotechnology companies in China. Impacted companies need to begin evaluating the risk to their supply chains, manufacturing capacity, and R&D pipelines in the event a business partner is listed.

Universities in the United States and other research institutes that receive federal funding will also need to undertake a similar assessment of their research partners and collaborators based in China.

2. Loss of CDMO capacity:

Wuxi App Tec is a large, global provider of contract development and manufacturing (CDMO) services to the life sciences industry. According to the New York Times “[b]y one estimate Wuxi has been involved in developing one-fourth of the drugs used in the United States.” BIOSECURE would effectively ban Wuxi from conducting business in the United States, and if passed, risks causing delays, shortages, and cost increases as companies seek to transition to other CDMOs. It will likely take years for competitors to replace the lost CDMO capacity.

3. Fate of Wuxi U.S. Facilities:

Wuxi has a large presence in the United States. It operates 12 facilities and employs almost 2,000 people. Normally, Wuxi would be expected to sell its U.S.-based facilities. However, based on Tiktok’s experience, it is unclear if the Government of China will permit Wuxi to sell its facilities as opposed to dismantling and/or relocating facilities outside of the United States.

4. OMB’s Management of Biotechnology Companies of Concern List

OMB does not typically manage processes like the one envisioned by BIOSECURE. How OMB interprets the broad criteria for listing companies will be critical. Which Departments, beyond the Department of Defense, will have the greatest influence on OMB’s decision making and how open OMB is to evidence from companies seeking to avoid listing will also need to be watched closely. Until OMB starts preparing its guidance and the FAR regulations are proposed, it is hard to anticipate the rate at which new companies will be added to the list. How the process established by BIOSECURE will interact with or leverage existing entity lists will be another development to closely monitor.

5. Retaliation by China

BIOSECURE’s passage is likely to trigger a response from the Government of China. Responses could range from imposing its own export controls to using the country’s sweeping national security laws to harass United States businesses and their employees. Companies doing business in China, particularly those in the pharmaceutical or biotech industries need to be prepared.

© 2024 Foley & Lardner LLP
For more on Biotechnology, visit the NLR Biotech Food Drug section

What Does the End of Chevron Deference Mean for Federal Health Care Programs?

On June 28, 2024, the Supreme Court rejected the doctrine of Chevron deference in the closely watched case of Loper Bright Enterprises v. Raimondo.[1] In a 6-3 decision, the Court held that Chevron’s rule that courts must defer to federal agencies’ interpretation of ambiguous statutes gave the executive branch interpretive authority that properly belonged with the courts. Moreover, the Court concluded that Chevron deference was inconsistent with the Administrative Procedure Act (APA), holding that the APA requires courts to exercise independent judgment when deciding legal issues in the review of agency action.

Loper will have significant and immediate implications for the U.S. Department of Health and Human Services (HHS), the federal agency charged with the administration of the federal health care programs, including Medicare and Medicaid. As detailed below, the Court’s decision sets a more exacting standard for courts to apply when reviewing HHS’s regulations and legal positions.

What Was Chevron Deference?

The doctrine of Chevron deference was established in 1984 by the Supreme Court in Chevron U.S.A., Inc. v. Natural Resources Defense Council, Inc.[2] In that case, the Court held when a “statute is silent or ambiguous with respect to the specific issue” raised regarding a statute that the agency administers, “the question for the court is whether the agency’s answer is based on a permissible construction of the statute.”[3]

Although scholars have debated Chevron’s rationale at length, it generally was read to require deference based upon agencies’ presumed subject matter expertise and an assumption that Congress delegated authority to agencies—rather than courts—to fill in gaps in statutory schemes. Notably, the Supreme Court had not itself invoked Chevron deference since 2016, although lower courts have continued to rely on it regularly.[4]

What Did Loper Decide?

Loper involved two New England fishing companies appealing the D.C. Circuit’s ruling that applied Chevron deference to uphold the National Marine Fisheries Service’s interpretation of the Federal Magnuson-Stevens Act (the “Act”) as requiring fishermen to pay for the use of compliance monitors on certain fishing boats, even though the federal law is silent on who must pay. Petitioners used the case as a vehicle to present a broader challenge to Chevron,arguing that the doctrine has led to excessive deference to federal agencies, resulting in overregulation, the abdication of judicial responsibility to interpret statutes, and the unwarranted imposition of regulatory enforcement costs.

The Loper majority firmly rejected Chevron and held that the APA requires courts to exercise their independent judgment in deciding legal questions that arise in reviewing agency action. As the majority held, “courts need not and under the APA may not defer to an agency interpretation of the law simply because a statute is ambiguous.”[5]

Importantly, however, Loper noted that deference may still be afforded agencies in certain instances. First, the Court observed that the APA expressly mandates a deferential standard of review for agency policy-making and fact-finding.[6] Second, Loper explained that some statutes are best read to “delegate[] discretionary authority to an agency,” in which case a court’s role is to merely ensure the agency “engaged in ‘reasoned decisionmaking’” within that authority.[7] Lastly, Loper reaffirmed that an agency’s “expertise” remains “one of the factors” that may make an agency’s interpretation persuasive.[8]

How Will Loper Impact Federal Health Care Programs?

Loper’s directive that courts should construe statutes independently and not defer to agencies’ positions has enormous implications for providers and suppliers that participate in federal health care programs. Much of today’s health care landscape is governed by HHS’ regulations, impacting many Americans and much of the federal budget. For example, Medicare currently covers more than 67 million beneficiaries, and Medicare spending comprised 12% of the federal budget in 2022 and 21% of national health care spending in 2021.[9]

Federal health care programs like Medicare and Medicaid are established by statutes that set forth myriad requirements regarding the coverage of items and services, and how, when, and by whom those items and services may be furnished.[10] HHS’s various components—most notably the Centers for Medicare and Medicaid Services (CMS)—have issued numerous, detailed regulations to implement these statutes. HHS’s components also include FDA, CDC, HRSA, AHRQ, OCR, NIH, and many others that intersect with health care providers and suppliers regularly.

Going forward under Loper, future challenges to agency regulations will take place upon a much different playing field. This has several important implications:

  • More Legal Challenges: We expect to see more legal challenges brought against HHS’s regulations as they are issued. Loper expressly stated that it “does not call into question prior cases that relied on the Chevron framework,” so prior decisions affirming regulations should be stable.[11] But going forward, Loper means that courts have no “thumb on the scale” in favor of HHS’s legal positions, and so litigants may view Loper as increasing their odds of success. At the same time, this may create more uncertainty for providers and suppliers who must determine how to comply with new regulations under challenge.
  • Less Ability for HHS to Create New Programs or Impose New Requirements: Especially where HHS imposes new substantive requirements that are not clearly authorized by statute, HHS’s regulations may be vulnerable. For example, the challengers to CMS’s minimum-staffing requirements for nursing homes are sure to cite Loper.[12] Likewise, when HHS creates new programs or initiatives by regulation based on broad statutory language (e.g., HHS’s recent creation of rural emergency hospital regulations[13]), the regulations may be more vulnerable to challenges. As another example, legal challenges to FDA’s new rule on Laboratory Developed Tests are pending and will likely invoke Loper.[14]
  • More Incentive to Challenge Reimbursement Rules: Legal challenges are frequently brought to CMS’s rules governing reimbursement, which often have complicated statutory formulas subject to differing interpretations. Whereas in the past, courts often deferred to CMS’s interpretations,[15] Loper now creates more potential for providers and suppliers to seek more favorable legal interpretations to enhance reimbursement.
  • Slower and More Cautious Rulemaking: As HHS promulgates new regulations, it will now have to consider the enhanced litigation risk that Loper creates. This may lead to agencies slowing and proceeding more cautiously in rulemaking as agencies seek to craft defensible regulations.
  • Inconsistent Decisions by Courts: Because Loper directs courts to exercise independent judgment rather than defer to HHS’s interpretations, we expect that courts in different areas of the country may reach differing conclusions regarding HHS regulations. This may make certain geographic locations more advantageous for provider and supplier operations or expansions.

Conclusion

Going forward, courts will be more amenable than ever to siding with challenges to HHS regulations. This creates both challenges and opportunities for providers and suppliers who should carefully assess the legal basis for all new regulations.

The authors acknowledge the contributions of Callie Ericksen, a student at the University of California Davis Law School and 2024 summer associate at Foley & Lardner LLP.

[1] Loper Bright Enterprises v. Raimondo, No. 22-451 (June 28, 2024), together with Relentless, Inc. v. Department of Commerce, No. 22-1219, available here.

[2] 467 U.S. 837 (1984).

[3] Id. at 843 (emphasis added).

[4] See Am. Hosp. Ass’n (“AHA”) v. Becerra, 142 S. Ct. 1896, 1904 (2022) (determining that HHS’s preclusion of judicial review “lacks any textual basis,” remaining silent with respect to Chevron); Becerra v. Empire Health Found., 142 S. Ct. 2354, 2362 (2022) (illustrating that HHS’s reading aligns with the statute’s “text, context, and structure” in calculating the Medicare fraction for purposes of Medicare Part A benefits, without any mention of Chevron); Vanda Pharms., Inc. v. Ctrs. for Medicare & Medicaid Servs.,98 F.4th 483 (2024) (holding that CMS’s definitions of “line-extension” and “new formulation” did not conflict with the Medicaid statute).

[5] Loper Bright Enterprises v. Raimondo, No. 22-451, slip op. 35 (June 28, 2024).

[6] Id. at slip. op. 14 (citing 5 U.S.C. §§ 706(2)(A), (E)).

[7] Id. at slip op. 18.

[8] Id. at slip op. 25 (citing Skidmore v. Swift & Co., 323 U.S. 134 (1944).

[9] See KFF, Medicare 101 (published May 28, 2024), available here.

[10] See 42 U.S.C. §§ 1395–1395lll.

[11] Loper Bright Enterprises v. Raimondo, No. 22-451, slip op. 34 (June 28, 2024).

[12] See Am. Health Care Ass’n v. Becerra, No. 24-cv-114 (N.D. Tex) (challenging the rule issued at 89 Fed. Reg. 40876 (May 10, 2024).

[13] Conditions of Participation, 42 C.F.R. §§ 485.500-485.546 (Subpart E), and Payments, §§ 419.90-419.95 (Subpart J), 87 Fed. Reg. 71748, 72292-93 (Nov. 23, 2022),

[14] 21 C.F.R. § 809, 89 Fed. Reg. 37286 (May 6, 2024).

[15] See, e.g.Baptist Mem’l Hosp. – Golden Triangle, Inc. v. Azar, 956 F.3d 689 (5th Cir. 2020) (deferring to CMS’s rule addressing “costs incurred” for calculating Medicaid Disproportionate Share Hospital payments).

© 2024 Foley & Lardner LLP
For more news on Supreme Court Health Care Decisions, visit the NLR Health Law & Managed Care section.

HHS Publishes Final Rule to Support Reproductive Health Care Privacy

The Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization to eliminate the federal constitutional right to abortion continues to alter the legal landscape across the country. On April 26, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) published the “HIPAA Privacy Rule to Support Reproductive Health Care Privacy” (the “Final Rule”).

The Final Rule—amending the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as well as the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act)—strengthens privacy protections related to the use and disclosure of reproductive health care information. HIPAA’s Privacy Rule limits the disclosure of protected health information (PHI) and is part of HHS’s efforts to ensure that patients will not be afraid to seek health care from, or share important information with, health care providers.

The Final Rule:

  • Prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons for such activities.
  • Requires covered entities and business associates to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for these prohibited purposes.
  • Requires covered entities to modify their NPPs to support reproductive health care privacy.

“Since the fall of Roe v. Wade, providers have shared concerns that when patients travel to their clinics for lawful care, their patients’ records will be sought, including when the patient goes home,” OCR Director Melanie Fontes Rainer said in a news release. OCR administers the Privacy Rule, which requires most health care providers, health plans, health care clearinghouses (“covered entities”) and business associates to safeguard the privacy of PHI.

Commenters to an earlier notice of proposed rulemaking (“2023 NPRM”) raised concerns that PHI related to reproductive health care would be used and disclosed to expose both patients and providers to investigation and liability under state abortion laws, particularly new and revived laws. This Final Rule is intended to prohibit the disclosure of PHI related to lawful reproductive health care—a change from the current Privacy Rule where an entity is generally permitted, but not required, to disclose relevant and material information in a legitimate law enforcement inquiry.

Key Takeaways

New Category of Protected Health Information. The Final Rule changes the HIPAA Privacy Rule by defining a new category of protected health information and adds a new “prohibited use and disclosure” under the HIPAA Privacy Rule at 45 CFR 164.502—mandating that a covered entity or business associate may not use or disclose PHI:

  • To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating “reproductive health care”;
  • To impose criminal, civil, or administrative liability on any “person” for the mere act of seeking, obtaining, providing or facilitating “reproductive health care”; and
  • To identify any “person” for any of those above described purposes.

Prohibition. Under the Final Rule, HIPAA-covered entities and business associates who receive requests for protected health information must make a reasonable determination that one or more of the following conditions exists:

  • The reproductive health care is lawful in the state in which such health care is provided under the circumstances in which it is provided (e.g., if a resident of one state traveled to another state to receive reproductive health care, such as an abortion, that is lawful in the state where such health care was provided).
  • The reproductive health care is protected, required, or authorized by federal law, including the U.S. Constitution, regardless of the state in which such health care is provided (e.g., reproductive health care such as contraception is protected by the Constitution).

Presumption. Such care is presumed lawful unless the HIPAA-covered entity or business associate has

  • actual knowledge that the reproductive care was not lawful under the circumstances it was provided; or
  • factual information supplied by the requester demonstrating a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which it was provided.

Attestation Requirement. The Final Rule adds 45 CFR § 164.509(c) to require a covered entity or business associate, when it receives a request for PHI potentially related to reproductive health care, to obtain a signed attestation from the requester. However, obtaining the attestation does not relieve a covered entity or business associate from its responsibility to determine whether the reproductive health care that may be the subject of the requested information was lawful. An attestation must contain the following elements:

  • A description of the information requested that identifies the information in a specific fashion, including one of the following:
    • The name(s) of any individual(s) whose protected health information is sought, if practicable;
    • If that name is not practicable, the name(s) or other specific identification of the person(s) or class of person(s) who are requested to make the use or disclosure;
  • The name or other specific identification of the person(s) or class of persons to whom the covered entity is to make the requested use or disclosure;
  • A clear statement that the use or disclosure is not for a purpose prohibited under 45 CFR § 164.502(a)(5)(iii)(i.e., identifying any person under the newly added prohibition);
  • A statement that a person may be subject to criminal penalties if they use or disclose the reproductive health information improperly;
  • Must be in plain language and contain the elements set forth in 45 CFR § 164.509(c) (inclusion of other elements not set forth in 45 CFR § 164.509(c) is prohibited); and
  • Must be signed by the person requesting the disclosure (which may take an electronic format).

The Final Rule prohibits the attestation from being “combined with” any other document (yet allows additional supporting information or documentation needed for the request to be submitted with the attestation (for example, a clearly labelled subpoena). While covered entities can develop their own attestation form, to reduce the compliance burden, HHS plans to publish a model attestation form prior to the compliance date.

Notices of Policy Practices. With the new processes for using and disclosing reproductive health information, covered entities must update their Notices of Privacy Practices (NPPs) required under 45 CFR § 164.520. For purposes of this Final Rule, updates to the NPPs must describe among other things the types and uses of disclosures of PHI that are prohibited under 45 CFR 164.502(a)(5)(iii). The notice should also contain a description of the uses and disclosures for which an attestation is required under the new 45 CFR § 164.509. Further, the Office of Management and Budget’s (OMB’s) Office of Information and Regulatory Affairs determined that this Final Rule meets the criteria in 5 USC § 804(2) for being a major rule because it is projected to have an annualized impact of more than $100,000,000 based on the number of covered entities and business associates that will have to implement these changes.

Practical Implications for HIPAA Covered Entities & Business Associates

Considering the significant changes this Final Rule introduces, there is no time like the present for covered entities and business associates to consider the compliance implications that a new category of PHI will have on existing HIPAA policies and procedures. In addition to developing and/or obtaining new attestation forms, making reasonable determinations of the lawfulness of reproductive health care and updating notices of privacy practices, privacy and security officers will likely need to evaluate the impact these changes will have on the policies that govern data dissemination, and the processes and procedures that may change as well. Covered entities and business associates will also likely want to include these changes into training for employees involved in these activities.

The Final Rule goes into effect on June 25, 2024, with a compliance date of December 23, 2024. The NPP requirements, however, take effect on February 16, 2026—consistent with OCR’s 42 CFR Part 2 Rule of February 16, 2024, so that covered entities regulated under both rules can implement changes to their NPPs at the same time.

HIPAA covered entities and business associates should consider the context and framework of the HIPAA Privacy Rule and these new modifications as they consider third-party requests for any PHI that may include reproductive health information (the current HIPAA Privacy Rule remains in effect until the new rule takes effect). If the new reproductive health prohibition is not applicable, HIPAA covered entities should still consider the fact that HIPAA otherwise permits, but does not require, them to disclose PHI under most of the HIPAA exceptions contained in 45 CFR § 164.512. Therefore, HIPAA affords covered entities the ability to protect the privacy interests of their patients, especially in the current post-Dobbs environment.

Covered entities and business associates now face the challenge of implementing these new requirements and training their workforce members on how to analyze and respond to requests that include reproductive health care information. Questions remain surrounding a covered entity or business associate’s burden of determining that the reproductive health care provided to an individual was in fact lawful. For example, if a complaint follows, does a covered entity have to account for the disclosures that are made? While the Final Rule is gender-neutral, what is the likelihood that it would be applied to men—could it? In any case, we will continue to monitor developments, including questions of how HIPAA and other privacy concerns interact with reproductive health care, in the wake of Dobbs. For more on the subject, please see our past blog on the 2023 proposed rule.

Ann W. Parks contributed to this article.

©2024 Epstein Becker & Green, P.C. All rights reserved.
For more on Reproductive Health Care, visit the NLR Health Law & Managed Care section.

Recent Healthcare-Related Artificial Intelligence Developments

AI is here to stay. The development and use of artificial intelligence (“AI”) is rapidly growing in the healthcare landscape with no signs of slowing down.

From a governmental perspective, many federal agencies are embracing the possibilities of AI. The Centers for Disease Control and Prevention is exploring the ability of AI to estimate sentinel events and combat disease outbreaks and the National Institutes of Health is using AI for priority research areas. The Centers for Medicare and Medicaid Services is also assessing whether algorithms used by plans and providers to identify high risk patients and manage costs can introduce bias and restrictions. Additionally, as of December 2023, the U.S. Food & Drug Administration cleared more than 690 AI-enabled devices for market use.

From a clinical perspective, payers and providers are integrating AI into daily operations and patient care. Hospitals and payers are using AI tools to assist in billing. Physicians are using AI to take notes and a wide range of providers are grappling with which AI tools to use and how to deploy AI in the clinical setting. With the application of AI in clinical settings, the standard of patient care is evolving and no entity wants to be left behind.

From an industry perspective, the legal and business spheres are transforming as a result of new national and international regulations focused on establishing the safe and effective use of AI, as well as commercial responses to those regulations. Three such regulations are top of mind, including (i) President Biden’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of AI; (ii) the U.S. Department of Health and Human Services’ (“HHS”) Final Rule on Health Data, Technology, and Interoperability; and (iii) the World Health Organization’s (“WHO”) Guidance for Large Multi-Modal Models of Generative AI. In response to the introduction of regulations and the general advancement of AI, interested healthcare stakeholders, including many leading healthcare companies, have voluntarily committed to a shared goal of responsible AI use.

U.S. Executive Order on the Safe, Secure, and Trustworthy Development and Use of AI

On October 30, 2023, President Biden issued an Executive Order on the Safe, Secure, and Trustworthy Development and Use of AI (“Executive Order”). Though long-awaited, the Executive Order was a major development and is one of the most ambitious attempts to regulate this burgeoning technology. The Executive Order has eight guiding principles and priorities, which include (i) Safety and Security; (ii) Innovation and Competition; (iii) Commitment to U.S. Workforce; (iv) Equity and Civil Rights; (v) Consumer Protection; (vi) Privacy; (vii) Government Use of AI; and (viii) Global Leadership.

Notably for healthcare stakeholders, the Executive Order directs the National Institute of Standards and Technology to establish guidelines and best practices for the development and use of AI and directs HHS to develop an AI Task force that will engineer policies and frameworks for the responsible deployment of AI and AI-enabled tech in healthcare. In addition to those directives, the Executive Order highlights the duality of AI with the “promise” that it brings and the “peril” that it has the potential to cause. This duality is reflected in HHS directives to establish an AI safety program to prioritize the award of grants in support of AI development while ensuring standards of nondiscrimination are upheld.

U.S. Department of Health and Human Services Health Data, Technology, and Interoperability Rule

In the wake of the Executive Order, the HHS Office of the National Coordinator finalized its rule to increase algorithm transparency, widely known as HT-1, on December 13, 2023. With respect to AI, the rule promotes transparency by establishing transparency requirements for AI and other predictive algorithms that are part of certified health information technology. The rule also:

  • implements requirements to improve equity, innovation, and interoperability;
  • supports the access, exchange, and use of electronic health information;
  • addresses concerns around bias, data collection, and safety;
  • modifies the existing clinical decision support certification criteria and narrows the scope of impacted predictive decision support intervention; and
  • adopts requirements for certification of health IT through new Conditions and Maintenance of Certification requirements for developers.

Voluntary Commitments from Leading Healthcare Companies for Responsible AI Use

Immediately on the heels of the release of HT-1 came voluntary commitments from leading healthcare companies on responsible AI development and deployment. On December 14, 2023, the Biden Administration announced that 28 healthcare provider and payer organizations signed up to move toward the safe, secure, and trustworthy purchasing and use of AI technology. Specifically, the provider and payer organizations agreed to:

  • develop AI solutions to optimize healthcare delivery and payment;
  • work to ensure that the solutions are fair, appropriate, valid, effective, and safe (“F.A.V.E.S.”);
  • deploy trust mechanisms to inform users if content is largely AI-generated and not reviewed or edited by a human;
  • adhere to a risk management framework when utilizing AI; and use of AI technology. Specifically, the provider and payer organizations agreed to:
  • develop AI solutions to optimize healthcare delivery and payment;
  • work to ensure that the solutions are fair, appropriate, valid, effective, and safe (“F.A.V.E.S.”);
  • deploy trust mechanisms to inform users if content is largely AI-generated and not reviewed or edited by a human;
  • adhere to a risk management framework when utilizing AI; and
  • research, investigate, and develop AI swiftly but responsibly.

WHO Guidance for Large Multi-Modal Models of Generative AI

On January 18, 2024, the WHO released guidance for large multi-modal models (“LMM”) of generative AI, which can simultaneously process and understand multiple types of data modalities such as text, images, audio, and video. The WHO guidance contains 98 pages with over 40 recommendations for tech developers, providers and governments on LMMs, and names five potential applications of LMMs, such as (i) diagnosis and clinical care; (ii) patient-guided use; (iii) administrative tasks; (iv) medical education; and (v) scientific research. It also addresses the liability issues that may arise out of the use of LMMs.

Closely related to the WHO guidance, the European Council’s agreement to move forward with a European Union AI Act (“Act”), was a significant milestone in AI regulation in the European Union. As previewed in December 2023, the Act will inform how AI is regulated across the European Union, and other nations will likely take note of and follow suit.

Conclusion

There is no question that AI is here to stay. But how the healthcare industry will look when AI is more fully integrated still remains to be seen. The framework for regulating AI will continue to evolve as AI and the use of AI in healthcare settings changes. In the meantime, healthcare stakeholders considering or adopting AI solutions should stay abreast of developments in AI to ensure compliance with applicable laws and regulations.

Copyright © 2024, Sheppard Mullin Richter & Hampton LLP.
For more on Healthcare, visit the NLR Health Law & Managed Care section.

Cannabis Rescheduling: HHS Findings and Legal Implications

On August 29, 2023, the U.S. Department of Health and Human Services (HHS) made a groundbreaking recommendation to the Drug Enforcement Administration (DEA) – that cannabis should be rescheduled from Schedule I to Schedule III under the Controlled Substances Act (CSA). This recommendation was made pursuant to President Biden’s request that the Secretary of HHS and the Attorney General initiate a process to review how cannabis is scheduled under federal law. In recent days, the unredacted 252-page analysis supporting the August recommendation was released pursuant to a Freedom of Information Act request. While the DEA is presently reviewing HHS’s recommendation and has final authority to schedule a drug under the CSA, it is ultimately bound by HHS’s recommendations on scientific and medical matters.

Why does this matter? Cannabis1 has been a Schedule I substance since the CSA was enacted in 1971. Substances are controlled under the CSA by placement on one of five lists, Schedules I through V. Schedule I controlled substances are subject to the most stringent controls and have no current accepted medical use. As a result, it is illegal under federal law to produce, dispense, or possess cannabis except in the context of federally approved scientific studies. Violations may result in large fines and imprisonment, including mandatory minimum sentences. Comparatively, Schedule III substances are considered to have less abuse potential than Schedule I and II substances, and have a currently accepted medical use in the United States.

In recent years, nearly all the states within the U.S. have revised their laws to permit medical cannabis use. And 24 states, as well as the District of Columbia, have eliminated certain criminal penalties for recreational cannabis use by adults. However, under the U.S. Constitution’s Supremacy Clause, federal law takes precedence over conflicting state laws. Thus, states cannot actually legalize cannabis use without congressional or executive action, and all unauthorized activities under Schedule I involving cannabis are federal crimes anywhere in the United States.2

Notable Findings in HHS’s Recommendation

For HHS to recommend that the DEA change cannabis from Schedule I to Schedule III, HHS had to make three specific findings: 1) cannabis has a lower potential for abuse than the drugs or other substances in Schedules I and II; 2) cannabis has a currently accepted medical use in treatment in the U.S.; and 3) abuse of cannabis may lead to moderate or low physical dependence or high psychological dependence. HHS considered eight factors to make those findings, some of which include: cannabis’s actual or relative potential for abuse; the state of current scientific knowledge regarding the drug; the scope, duration, and significance of abuse; and what, if any, risk there is to public health. The unredacted analysis provides further insight into HHS’s determination to make the forementioned findings.

CANNABIS HAS A POTENTIAL FOR ABUSE LESS THAN THE DRUGS OR OTHER SUBSTANCES IN SCHEDULES I AND II.

To evaluate cannabis’s potential for abuse,3 HHS compared the harms associated with cannabis abuse to the harms associated with other substances, such as heroin (Schedule I), cocaine (Schedule II), and alcohol.4 HHS reported that evidence shows some individuals take cannabis in amounts sufficient to create a health hazard to themselves and the safety of other individuals and the community. However, HHS also reported evidence showing the vast majority of cannabis users are using cannabis in a manner that does not lead to dangerous outcomes for themselves or others. From 2015 to 2021, the utilization-adjusted rate of adverse outcomes involving cannabis was consistently lower than the respective utilization-adjusted rates of adverse outcomes involving heroin, cocaine, and other comparators. Further, cannabis was the lowest-ranking group for serious medical outcomes, including death. Overall, the data indicated that cannabis produced fewer negative outcomes than Schedule I, Schedule II drugs, and, in some cases, alcohol.

CANNABIS HAS A CURRENTLY ACCEPTED MEDICAL USE IN TREATMENT IN THE UNITED STATES

To determine whether cannabis has a currently accepted medical use (CAMU) in the U.S., HHS evaluated a two-part standard: 1) whether “[t]here exists widespread, current experience with medical use of the substance by [healthcare providers] operating in accordance with implemented jurisdiction-authorized programs, where medical use is recognized by entities that regulate the practice of medicine”; and 2) whether “[t]here exists some credible scientific support for at least one of the medical uses for which Part 1 is met.”

Under Part 1, HHS confirmed that more than 30,000 healthcare providers across 43 U.S. jurisdictions are authorized to recommend the medical use of cannabis for more than six million registered patients for at least 15 medical conditions. The Part 1 findings, therefore, supported an assessment under Part 2. Under Part 2, HHS reported that, based on the totality of the available data, there exists some credible scientific support for the medical use of cannabis. Specifically, credible scientific support described at least some therapeutic cannabis uses for anorexia related to a medical condition, nausea and vomiting (e.g., chemotherapy-induced), and pain.

Overall, while HHS reported that cannabis has a currently accepted medical use in the U.S., the Food and Drug Administration (FDA) underscored that such a finding does not mean that the FDA has approved cannabis as safe and effective for marketing as a drug in interstate commerce under the Federal Food, Drug, and Cosmetic Act.

ABUSE OF CANNABIS MAY LEAD TO MODERATE OR LOW PHYSICAL DEPENDENCE OR HIGH PSYCHOLOGICAL DEPENDENCE.

Lastly, HHS concluded that research indicated that chronic, but not acute, use of cannabis can produce both psychic and physical dependence in humans. However, while cannabis “can produce psychic dependence in some individuals,” HHS emphasized that “the likelihood of serious outcomes is low, suggesting that high psychological dependence does not occur in most individuals who use marijuana.”

Legal Ramifications of New Scheduling

Changing cannabis from Schedule I to Schedule III may potentially allow cannabis to be lawfully dispensed by prescription5 and states’ medical cannabis programs may now be able to comply with the CSA. However, it would not make state laws legalizing recreational cannabis use in compliance with federal law without other legal changes by Congress or the executive branch. Under the change, medical cannabis users may be eligible for public housing, immigrant and nonimmigrant visas, and the purchase and possession of firearms. They may also face fewer barriers to federal employment and eligibility to serve in the military. Researchers would face less regulatory controls, and the DEA would no longer set production quota limitations for cannabis. Because the prohibition on business deductions in Section 280E of the Internal Revenue Code only applies to Schedule I and II substances of the CSA, changing cannabis from Schedule I to Schedule III would allow cannabis businesses to deduct business expenses on federal tax filing.

Importantly, some criminal penalties for CSA violations depend on the schedule of the substance. Thus, if cannabis were to be reclassified as a Schedule III substance, some criminal penalties for CSA violations would no longer apply or be significantly reduced. However, CSA penalties that specifically apply to cannabis, such as quantity-based mandatory minimum sentences, would not change under a new rescheduling.

Many advocates consider HHS’s findings a step in the right direction. Specifically, supporters consider the findings further evidence that cannabis should be removed from the CSA altogether and regulated akin to tobacco and alcohol (referred to as descheduling). Given the momentum of cannabis legalization across U.S. states and breakthroughs in the medical and scientific advantages of cannabis, Congressional or Executive legalization, or – at very least – descheduling of cannabis may be on the horizon.

1 The CSA classifies the cannabis plant and its derivatives as “marijuana.” The CSA definition of marijuana excludes (1) products that meet the legal definition of hemp and (2) the mature stalks of the cannabis plant; the sterilized seeds of the plant; and fibers, oils, and other products made from the stalks and seeds.

2 Congress has granted the states some leeway in the distribution and use of medical marijuana by passing an appropriations rider preventing the Department of Justice from using taxpayer funds to prevent states from “implementing their own laws that authorize the use, distribution, possession, or cultivation of medical marijuana.” Courts have interpreted this as a prohibition on federal prosecution of state-legal activities involving medical cannabis.

3 In its report, HHS defined “abuse” to mean the “intentional, non-therapeutic use of a drug to obtain a desired psychological or physiological effect.”

4 Alcohol is not a scheduled controlled substance, but was used as a comparison because of its extensive availability and use in the U.S., which is also observed for the nonmedical use of cannabis.

5 Although the FDA has approved some drugs derived from cannabis, cannabis is not presently an FDA-approved drug.

Copyright © 2024, Sheppard Mullin Richter & Hampton LLP.
For more on Cannabis, visit the NLR Biotech, Food, Drug section.