Tag: HHS

FCA Enforcement & Compliance Digest — Fall 2024 False Claims Act Newsletter

Welcome to the Fall 2024 issue of “FCA Enforcement & Compliance Digest,” our quarterly newsletter in which we compile essential updates on False Claims Act (FCA) enforcement trends, litigation, agency guidance, and compliance tips. We bring you the most recent and significant insights in an accessible format, concluding with our main takeaways — aka “And the Fox Says…” — on what you need to know.

In this Fall 2024 edition, we cover:

  1. Enforcement Trends: Manufacturers challenge AKS intent requirement as reflected in recent denials of OIG Advisory Opinion requests.
  2. Litigation Developments: Implications of Florida judge’s ruling that the FCA qui tam provision is unconstitutional.
  3. Compliance Corner: What health care companies need to know about AI.
  4. ICYMI: Federal Court Permits Investors to Resume Kickback Suit Against Teva

1. Enforcement Trends

Do Violations of the AKS Require a ‘Corrupt’ Intent? Manufacturers Challenge the OIG’s Interpretation of the Statute

In a series of recent lawsuits filed by the pharmaceutical industry against the US Department of Health and Human Services (HHS) Office of the Inspector General (OIG), manufactures are challenging the OIG’s interpretation of the Anti-Kickback Statue (AKS), arguing that violations of the statute require a corrupt intent. While courts have so far ruled in OIG’s favor, should a court accept this argument, the AKS regulatory landscape could be upended, providing health care providers and suppliers the opportunity to develop and implement arrangements that have historically been prohibited by the OIG.

The challenges to OIG’s interpretation of the AKS come in the context of OIG Advisory Opinion requests submitted by the manufacturers (or a related charity) proposing various forms of patient assistance programs under which the manufacturers or their related charities offer financial assistance to patients on the manufacturers’ products. The OIG denied each of the Advisory Opinion requests, finding that the proposed forms of patient assistance would constitute remuneration intended to induce patients to purchase the manufacturers’ drugs in violation of the AKS.

The OIG has consistently reiterated its opposition to manufacturer-operated patient assistance programs, with both the OIG’s 2005 Special Advisory Bulletin: Patient Assistance Programs for Medicare Part D Enrollees and the 2014 Supplemental Special Advisory Bulletin: Independent Charity Patient Assistance Programs noting that manufacturers cannot provide co-pay assistance to federal health care program beneficiaries, as doing so would constitute a kickback. However, the guidance also described the parameters under which independent charities can provide co-pay assistance, including assistance to federal health care program beneficiaries (i.e., Medicare beneficiaries). One of the key factors with respect to the operation of charitable patient assistance programs, is the independence of the charities operating the programs. While the independent charities are primarily funded by manufacturers, to be considered independent for OIG’s purposes, the charities must retain independence from donors. This means the donors cannot influence the design or operation of the patient assistance programs, and the programs cannot favor patients on the donor’s drug (e.g., assistance cannot be contingent upon the patient being prescribed a donor’s drug).

In three separate litigations, Pfizer Inc. v. United States Department of Health and Human ServicesVertex Pharmaceuticals Incorporated v. United States Department of Health and Human Services et al., and Pharmaceutical Coalition for Patient Access v. United States of America et al., manufacturers are challenging OIG’s long-held position that manufacturers cannot provide patient assistance, including co-pay assistance, to federal health care program beneficiaries. In doing so, the goal of the manufacturers is to provide assistance to patients, including co-pay support, either directly or through a charity that is not considered independent by OIG’s standards due to the relationship of the proposed charities to the manufactures and the level of influence by the manufacturers over the proposed charities. In each litigation, the manufacturer or, in the case of the Pharmaceutical Coalition for Patient Access (PCPA), the charity controlled by the manufacturers, is challenging an unfavorable Advisory Opinion issued by OIG concluding that the proposed patient assistance programs would constitute remuneration intended to induce patients to use a particular manufacturer’s products.

Under the arrangements proposed by Pfizer and PCPA, the proposed charities would be funded exclusively by manufacturers and would only provide support to patients on those funders’ drugs. In Pfizer’s Advisory Opinion request, the company proposed two potential co-pay assistance programs: (1) a direct co-pay assistance program and (2) a Pfizer-supported charity co-pay assistance program. Similar to the proposed Pfizer-supported charity co-pay assistance program, PCPA, an organization funded by manufacturers of Part-D-covered oncology drugs, proposed to create its own patient assistance program that would provide co-pay assistance to patients who meet certain qualifying criteria and then invoice each participating manufacturer for “the total amount of cost-sharing subsidies provided to eligible Part D enrollees.”

Vertex’s Advisory Opinion request focused on a proposed “Fertility Preservation Program” under which Vertex would pay fertility providers through a third-party vendor for the treatments provided to patients enrolled in the program. While this proposed program involved coverage of related treatment costs (i.e., the costs of the fertility treatments) rather than coverage of the co-pay costs associated with the Vertex drug itself, OIG nonetheless applied the same reasoning as in the Pfizer and PCPA opinions, concluding that the program would constitute remuneration to the patients in violation of the AKS.

In each litigation, the manufacturer (or, in the case of PCPA, the manufacturer-related charity) is challenging OIG’s position that the manufacturer’s subsidies constitute “remuneration” meant “to induce” patients to purchase manufactures’ products. The manufacturers argue that the AKS criminalizes conduct that “leads or tempts to the commission of crime” through “remuneration” that corrupts medical decision-making, as part of a quid pro quo transaction. In other words, according to the manufacturers, “to induce” requires a corrupt intent. Therefore, because the manufactures’ efforts to assist patients with meeting Medicare co-pay obligations or gaining access to Medicare-covered treatments (or treatments otherwise covered by the federal health care programs) are not done with malice or corrupt intent, such programs would not violate the AKS.

To date, no court has agreed with the manufacturers’ position. While Vertex is still pending trial in the District Court for the District of Columbia, the District Court for the Southern District of New York ruled against Pfizer, noting that “the law is clear that absent an express carve-out, the Anti-Kickback Statute prohibits any remuneration intended to induce someone to purchase or receive a drug or medical service.” Similarly, the District Court for the Eastern District of Virginia ruled against PCPA, concluding that HHS OIG’s “interpretation of the AKS adheres faithfully [to] the statute’s plain text, comports with its context, and does not offend its history.” On appeal, the Second Circuit affirmed the District Court’s decision in Pfizer, finding that an AKS violation does not require “corrupt intent.” Pfizer then appealed to the US Supreme Court, which denied certiorari. PCPA’s case is currently on appeal with the Fourth Circuit.

Should the Vertex court or a court of appeals agree that the statutory terms “induce” and “remuneration” should be construed more narrowly and require a corrupt intent to violate the AKS, AKS regulatory interpretation and much of OIG’s guidance could be called into question. Arrangements that have historically been viewed as suspect by the OIG could be considered compliant to the extent the parties lacked a corrupt intent to violate the law.

And the Fox Says… Ongoing efforts challenging OIG’s statutory interpretation of the AKS demonstrate manufacturers’ interests in narrowing the scope of prohibited activities under the law. Providers and suppliers should continue monitoring the ongoing litigation and any future efforts to challenge OIG’s interpretation of the AKS, as any judicial narrowing of the interpretation could provide opportunities to develop innovative arrangements that may be beneficial to patients. Regardless, developing compliant arrangements to benefit patients can be complicated, and legal counsel can help to ensure you remain apprised of all relevant developments and assist in structuring compliant arrangements.

2. Litigation Developments

What Is the FCA Without Its Qui Player? A Look Into Zafirov’s Future Implications and the Enforceability of the FCA Without a Qui Tam Device

As we previously discussed, a Florida federal district court recently held in Zafirov v. Florida Medical Associates LLC that the FCA qui tam provision is unconstitutional. The court reasoned that a relator who litigates an FCA lawsuit on behalf of the United States is not a properly appointed “officer” under Article II of the US Constitution and, thus, does not have the authority to serve in that position. This article examines several questions: What does FCA enforcement look like without a qui tam device? What questions did Zafirov leave unresolved? And what should one expect in the coming years as this issue is litigated on appeal and among other courts?

Can the government successfully enforce the FCA without a qui tam device? If, in the end, the qui tam provision is voided, that does not spell doom for the FCA. This is because the government still has the authority to file FCA actions itself and could hire many more attorneys to investigate and prosecute them. The government also has other mechanisms to entice whistleblowers to come out of the woodwork and inform it of wrongdoing. For example, recently, the US Department of Justice (DOJ) announced the “Corporate Whistleblower Awards Pilot Program.” This enforcement program compensates whistleblowers who inform the DOJ of original and truthful information concerning corporate misconduct. If the information leads to a successful forfeiture of over $1 million, the whistleblower is compensated. Currently, however, the program does not cover FCA claims. But the DOJ or US Congress could theoretically expand this program, or create a new one, to attract whistleblowers who have information concerning FCA violations. Under such a program, the government’s litigation of FCA claims would not be all that different from what happens currently. Rather than intervene in a meritorious FCA case brought by a relator, the government would file its own case based on information provided by a whistleblower. This would avoid the constitutional pitfalls identified in Zafirov. A post-qui tam landscape will certainly see fewer FCA claims being filed overall, but the government would likely file more FCA claims than it does now.

Still, many questions remain unresolved under Zafirov concerning the extent to which relator suits are constitutionally permissible. In Zafirov, the relator was litigating an FCA suit in which the United States declined to intervene. But what happens if the United States does intervene and takes over the case? Are those suits permissible? Does the relator act as an “officer” if her role is just limited to filing a lawsuit? Could the government get around Zafirov by intervening in more cases? Or are all FCA lawsuits filed by a relator invalid ab initio even if the government intervenes? If so, would Congress have to create a mechanism to appoint a relator as an officer for FCA purposes? In short, it is unclear how broadly Zafirov will be read. On one hand, it could be read to only apply to non-intervened cases. On the other hand, the very act of filing a complaint on behalf of the United States may require a constitutional appointment, and the government’s intervention would not cure that taint. These questions will remain unresolved until they are addressed by the Supreme Court.

Only time will tell what will happen as this issue percolates in the courts. Already, several circuit courts have upheld the constitutionality of the qui tam provisions. In the district courts located in circuits that have not yet addressed this issue, defendants are filing dispositive motions arguing that the relator’s appointment is unconstitutional. Though the decision in Zafirov is currently an outlier, it soon may not be as more courts consider arguments that rely on Zafirov’s reasoning.

And the Fox Says… Zafirov is significant because it may be the first blow to a significant enforcement mechanism on which the government heavily relies. But the qui tam provision’s fate is not set in stone. The relator in Zafirov will almost certainly appeal the decision to the Atlanta-based Eleventh Circuit Court of Appeals. That court’s decision may then be appealed to the Supreme Court. The appeals process for Zafirov may take years before the Supreme Court grants certiorari on the issue (if it does at all). In the meantime, the issue is not going away, and Zafirov is unlikely to be a one-off case. Those who are in the throes of an FCA investigation or litigation should raise this issue as a possible litigation risk or as an affirmative defense. The best possible time to raise this issue amid litigation is on a Rule 12(b)(6) motion to dismiss. Even if a case is past this point, Zafirov supports the position that such an argument is not waived, given that the issue goes to the relator’s very authority to bring the suit. So, defendants litigating a case brought by a relator should raise this issue as soon as possible. We at ArentFox Schiff will continue to monitor developments to help our clients navigate this ever-changing legal landscape.

3. Compliance Corner

AI Under the DOJ Microscope: How Health Care Companies Should Respond

Many companies, including health care companies, have incorporated artificial intelligence (AI) into their business practices. While historically, AI has largely been unregulated, that is starting to change. Recently, state governments have begun regulating the use of AI in the health care setting, as our colleagues summarized here regarding recently passed California legislation requiring health care facilities, clinics, and physician practices in the state to disclose the use of AI in communications regarding patient clinical information. Now, AI has the attention of the DOJ.

This past March, Deputy Attorney General Lisa Monaco indicated the DOJ’s interest in AI, stating at the American Bar Association’s 39th National Institute on White Collar Crime that “fraud using AI is still fraud.” Following Monaco’s statement, in September, the Criminal Division of the DOJ updated its Evaluation of Corporate Compliance Programs (ECCP) guidelines to require DOJ prosecutors to consider whether a company’s compliance program safeguards against misuse of AI or other emerging technologies. As a brief primer, the ECCP is a DOJ document that prosecutors use to evaluate the effectiveness of a corporate compliance program in determining whether to criminally charge a company. The document is published publicly and provides helpful insight into the DOJ’s expectations for companies as they build and implement their corporate compliance programs.

Under the updated guidance, the DOJ emphasizes that companies need to assess AI-related risks as part of their overall enterprise risk management systems. Specifically, a corporate compliance program must consider whether it has specific policies and procedures to prevent “any potential negative or unintended consequences” resulting from the use of AI in its business practices and compliance program. Additionally, a company should proactively conduct risk analyses of its use of AI and mitigate the potential for “deliberate or reckless misuse of technologies” by company insiders. Other key considerations are whether the company trains its employees on the use of AI, whether there is a baseline of human decision-making used to assess AI-generated content, and how the company implements accountability over the use of AI.

In its September update, the DOJ also revised a section of the ECCP, asking whether compliance personnel have access to relevant data sources to allow for “timely and effective monitoring and/or testing” of policies, controls, and transactions. A key consideration is whether the assets, resources, and technology available to compliance programs are comparable to those available elsewhere in the company. An imbalance in access to technology and resources may indicate a compliance program’s inability to detect and mitigate risks, particularly if a business unit is given unfettered access to AI tools while compliance lags behind.

Compliance officers at health care companies should take steps now to ensure that the implementation and use of AI within their organizations do not raise any compliance red flags. Consider the recent Texas Attorney General settlement with Pieces Technologies, a company that markets generative AI products, which resolved allegations that the company made misleading statements regarding the accuracy of its products. As part of the settlement, Pieces agreed to provide more explicit disclosures to customers related to how the company’s products should be used and the potential harm that could result from the products.

Providers using such technologies may encounter data privacy and security risks, including cybersecurity risks such as ransomware and malware attacks, bias and fairness concerns with respect to the training of the AI systems that may result in preference for a particular drug or treatment, and reliability and accountability concerns affecting a health care professional’s ability to provide patient care. With that being said, the DOJ could conduct investigations similar to the Pieces investigation against health care providers that use AI without considering these risks.

To help mitigate the risks associated with AI, including in the event of a DOJ investigation, compliance officers should be involved during all stages of discussions around AI initiatives, including through implementation and use. Compliance officers should ensure their companies have appropriate policies and procedures governing the use of AI once it is introduced to their organizations and provide training to employees both on the AI technology and on the policies governing its use. Finally, compliance officers should ensure they have the necessary access to AI systems to conduct compliance oversight measures. Such oversight measures may include assessing AI-related risks as part of their organization’s annual risk assessment, conducting AI-related auditing, and monitoring to help identify potential issues with the technology as they arise.

And the Fox Says… The DOJ’s AI-focused compliance guidance is a call to action for companies to proactively address the legal and regulatory implications of AI technologies, reminding them that the age of AI requires more than just innovation — it demands robust compliance strategies. Companies that conduct regular risk assessments of their practices must consider the use of AI, update policies and procedures to address its use, provide compliance teams with equal data access, and regularly update training on the lawful use of these technologies. Empowering compliance personnel and working with outside compliance experts to make these regular updates will put a company in a good position to meet these new standards. By embracing these guidelines, companies can mitigate legal and regulatory risks while leveraging the capabilities of AI technologies.

4. In Case You Missed It

Our most popular blog post from the last quarter: Federal Court Permits Investors to Resume Kickback Suit Against Teva.

© 2024 ArentFox Schiff LLP
For more on the FCA, visit the NLR Criminal Law Business Crimes section

Telehealth Update: DEA/HHS Temporary Rule, Medicare Coverage of Telehealth Services, Potential for Increased Oversight, and What to Watch For in 2025

Telehealth companies and other industry stakeholders have had a watchful eye towards the end of 2024 and the impending “telehealth cliff” as COVID-era Drug Enforcement Agency (DEA) flexibilities and Medicare expanded telehealth coverage are set to expire. Although a recent temporary joint rule from the DEA and the Department of Health and Human Services (HHS) along with the 2025 Medicare Physician Fee Schedule final rule has provided some hope, questions regarding telehealth access in 2025 and under a new Administration remain unclear. Further, calls continue for increased oversight of telehealth services. Below, we breakdown recent updates for the telehealth industry.

DEA Telehealth Flexibilities

Providing some good news, late last month the DEA and HHS jointly issued a temporary rule (the Temporary Rule) extending the COVID-era flexibilities for prescribing controlled substances via telehealth through the end of 2025. The flexibilities, which previously were twice extended and set to expire December 31, 2024, temporarily waive the in-person requirements for prescribing under the Controlled Substances Act.

The DEA and HHS issued the Temporary Rule to ensure that providers and patients who have come to rely on telehealth services are able to smoothly transition to the new requirements, which as previously covered, are likely to significantly limit providers’ ability to prescribe controlled substances without an in-person interaction. The Temporary Rule also acknowledges that the DEA and HHS continue to work with relevant stakeholders and will use the additional time to promulgate proposed and final regulations that “effectively expand access to telemedicine” in a manner that is consistent with public health and safety, while mitigating the risk of diversion. The agencies also note that the limited time period of the extension is aimed at avoiding investment in new telemedicine companies that may encourage or enable problematic prescribing practices.

The Temporary Rule effectively allows all DEA-registered providers to prescribe Schedule II-V controlled substances via telehealth through the end of 2025, regardless of when the provider-patient relationship was formed. Consistent with the prior temporary rules, the following requirements continue to apply:

  • The prescription must be issued for a legitimate medical purpose by a practitioner acting in the usual course of professional practice.
  • The prescription must be issued pursuant to a telehealth interaction using two-way, real-time audio-visual technology, or for prescriptions to treat a mental health disorder, a two-way, real-time audio-only communication if the patient is not capable of, or does not consent to, the use of video technology.
  • The practitioner must be authorized under their DEA registration to prescribe the basic class of controlled medication specified on the prescription or be exempt from obtaining a registration to dispense controlled substances.
  • The prescription must meet all other requirements of the DEA regulations.

Providers should also be cognizant of applicable state laws that may place additional restrictions on the ability to prescribe certain medications or otherwise provide treatment via telehealth.

Medicare Coverage of Telehealth Services 

Unlike the DEA flexibilities, many of the COVID-era flexibilities for traditional Medicare coverage of telehealth services will end on December 31, 2024. Despite bipartisan support, congressional action is required to extend broad coverage for certain telehealth services existing since March 2020. Most notably, unless Congress acts, beginning January 1, 2025 expiring flexibilities include waiving the originating site requirements to allow beneficiaries to receive services in their homes and expanding the list of Medicare-enrolled providers who can furnish telehealth services.

Further, beginning January 1, 2025, Medicare coverage of telehealth services for beneficiaries outside of rural health care settings will be limited to:

  • Monthly End-Stage Renal Disease visits for home dialysis;
  • Services for diagnosis, evaluation, or treatment of symptoms of an acute stroke;
  • Treatment of substance use disorder or a co-occurring mental health disorder, or for the diagnosis, evaluation or treatment of a mental health disorder;
  • Behavioral health services;
  • Diabetes self-management training; and
  • Nutrition therapy.

For its part, the Centers for Medicare & Medicaid Services (CMS) recently issued its 2025 Medicare Physician Fee Schedule Final Rule (the MPFS Final Rule) extending and making permanent certain telehealth flexibilities within its authority. In particular, through December 31, 2025, practitioners may continue to utilize live video to meet certain Medicare direct supervision requirements and reference their currently enrolled practice when providing telehealth services from their home. The MPFS Final Rule continues to remove frequency limitations for certain hospital inpatient/observation care, skilled nursing facility visits, and critical care consultation services furnished via telehealth. Additionally, the MPFS Final Rule makes permanent the utilization of audio-only telehealth for any Medicare-covered telehealth service.

Increased Telehealth Oversight 

Recent months also have seen renewed calls for increased oversight of telehealth services. In September, the HHS Office for Inspector General (OIG) issued a report (the OIG Report) recommending increased oversight of Medicare coverage of remote patient monitoring. As a basis for its findings, the OIG Report cites the dramatic increased utilization of and payments for remote patient monitoring from 2019 to 2022, the fact that over 40% of Medicare beneficiaries receiving remote patient monitoring did not receive all three components of the service (i.e., education and setup, device supply, and treatment management), and the observation that Medicare lacks key information regarding the data being collected and the types of monitoring devices utilized. Notably, OIG conducted its review in part because of the potential for significant expansion of remote patient monitoring in the Medicare population.

Given these factors, the OIG Report recommends that CMS:

  1. Implement additional safeguards to ensure that remote patient monitoring is used and billed appropriately in Medicare.
  2. Require that remote patient monitoring be ordered and that information about the ordering provider be included on claims and encounter data for remote patient monitoring.
  3. Develop methods to identify what health data are being monitored.
  4. Conduct provider education about billing of remote patient monitoring.
  5. Identify and monitor companies that bill for remote patient monitoring.

Separately, concerns also have been raised regarding the recent emergence of direct-to-consumer telehealth platforms sponsored by pharmaceutical companies. In this model, patients seeking specific medications are linked to a health care provider who can virtually prescribe the requested medication. In October, U.S. Senate Majority Whip Dick Durbin (D-IL), joined by Senators Bernie Sanders (I-VT), Peter Welch (D-VT), and Elizabeth Warren (D-MA) sent letters to several pharmaceutical companies requesting written response to questions regarding these platforms including the cost of direct-to-consumer advertising, the arrangements between the telehealth providers and the pharmaceutical companies, and whether the virtual consultation comply with the standard of care.

Conclusion

Despite attempts to preserve and expand telehealth access and affordability, effective January 1, 2025, many Medicare beneficiaries will be cut off from certain telehealth services unless one of the bills currently pending in Congress is passed. Crucially, bipartisan support for increased access to telehealth services is likely to continue in both chambers of Congress. Although the incoming Administration has not detailed its plans regarding telehealth access on a permanent, or even temporary basis, telehealth will continue to play an important role in the United States health care system through 2025 and beyond. As telehealth continues to play an important role in increasing access to care, increased oversight and enforcement is almost certain, even if future oversight priorities are unclear. As always, we will continue to monitor and report on important telehealth developments.

©1994-2024 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.
For more on Telehealth, visit the NLR Health Law Managed Care section

New Fact Sheet Highlights ASTP’s Concerns About Certified API Practices

On October 29, 2024, the US Department of Health and Human Services (HHS) Assistant Secretary for Technology Policy (ASTP) released a fact sheet titled “Information Blocking Reminders Related to API Technology.” The fact sheet reminds developers of application programming interfaces (APIs) certified under the ASTP’s Health Information Technology (IT) Certification Program and their health care provider customers of practices that constitute information blocking under ASTP’s information blocking regulations and information blocking condition of certification applicable to certified health IT developers.

In Depth

The fact sheet is noteworthy because it follows ASTP’s recent blog post expressing concern about reports that certified API developers are potentially violating Certification Program requirements and engaging in information blocking. ASTP also recently strengthened its feedback channels by adding a section specifically for API-linked complaints and inquiries to the Health IT Feedback and Inquiry Portal. It appears increasingly likely that initial investigations and enforcement of the information blocking prohibition by the HHS Office of Inspector General will focus on practices that may interfere with access, exchange, or use of electronic health information (EHI) through certified API technology.

The fact sheet focuses on three categories of API-related practices that could be information blocking under ASTP’s information blocking regulations and Certification Program condition of certification:

  • ASTP cautions against practices that limit or restrict the interoperability of health IT. For example, the fact sheet states that health care providers who locally manage their fast healthcare interoperability resources (FHIR) servers without certified API developer assistance may engage in information blocking when they refuse to provide to certified API developers the FHIR service base URL necessary for patients to access their EHI.
  • ASTP states that impeding innovations and advancements in access, exchange, or use of EHI or health-IT-enabled care delivery may be information blocking. For example, the fact sheet indicates that a certified API developer may engage in information blocking by refusing to register and enable an application for production use within five business days of completing its verification of an API user’s authenticity as required by ASTP’s API maintenance of certification requirements.
  • ASTP states that burdensome or discouraging terms, delays, or influence over customers and users may be information blocking. For example, ASTP states that a certified electronic health record (EHR) developer may engage in information blocking by conditioning the disclosure of interoperability elements to third-party developers on the third-party developer entering into business associate agreements with all of the EHR developer’s covered entity customers, even if the work being done is not for the benefit of the customers and HIPAA does not require the business associate agreements.

The fact sheet does not address circumstances under which any of the above practices of certified API developers may meet an information blocking exception (established for reasonable practices that interfere with access, exchange, or use of EHI). Regulated actors should consider whether exceptions apply to individual circumstances.

© 2024 McDermott Will & Emery
For more on API Practices, visit the NLR Health Law Managed Care section

HIPAA Gets a Potential Counterpart in HISAA

Americans hear about cybersecurity incidents on a frequent basis. As the adage goes, it is not a matter of “if” a breach or security hack occurs; it is a matter of “when.” At no time was that more evident earlier this year when the healthcare industry was hit with the widespread ransomware attack on Change Healthcare, a subsidiary of the United Health Group. Because of the nature of the Change Healthcare shutdown and its impact across the industry, the U.S. Department of Health & Human Services (HHS) and its HIPAA enforcement arm, the Office for Civil Rights (OCR), conducted investigations and issued FAQ responses for those impacted by the cybersecurity event.

In further response, Senators Ron Wyden (D-OR) and Mark Warner (R-VA) introduced the Health Infrastructure Security and Accountability Act (HISAA) on September 26, 2024. Like HIPAA and HITECH before it, which established minimum levels of protection for healthcare information, HISAA looks to reshape how healthcare organizations address cybersecurity by enacting mandatory minimum security standards to protect healthcare information and by providing initial financial support to facilitate compliance. A copy of the legislative text can be found here, and a one-page summary of the bill can be found here.

To date, HIPAA and HITECH require covered entities and business associates to develop, implement, and maintain reasonable and appropriate “administrative, technical, physical” safeguards to protect electronic Protected Health Information or e-PHI. However, the safeguards do not specify minimum requirements; instead, they prescribe standards intended to be scalable, depending on the specific needs, resources, and capabilities of the respective organization. What this means is that e-PHI stored or exchanged among interconnected networks are subject to systems with often different levels of sophistication or protection.

Given the considerable time, effort, and resources dedicated to HIPAA/HITECH compliance, many consider the current state of voluntary safeguards as inadequate. This is especially the case since regulations under the HIPAA Security Rule have not been updated since 2013. As a result, Senators Wyden and Warner introduced HISAA in an effort to bring the patchwork of healthcare data security standards under one minimum umbrella and to require healthcare organizations to remain on top of software systems and cybersecurity standards.

Key pieces of HISAA, as proposed, include:

  1. Mandatory Cybersecurity Standards—If enacted, the Secretary of HHS, together with the Director of the Cybersecurity and Infrastructure Security Agency (CISA) and the Director of National Intelligence (DNI), will oversee the development and implementation of required standards and the standards will be subject to review and update every two years to counter evolving threats.
  2. Annual Audits and Stress Tests—Like current Security Risk Assessment (SRA) requirements, HISAA will require healthcare organizations to conduct annual cybersecurity audits and document the results. Unlike current requirements, these audits will need to be conducted by independent organizations to assess compliance, evaluate restoration abilities, and conduct stress tests in real-world simulations. While smaller organizations may be eligible for waivers from certain requirements because of undue burden, all healthcare organizations will have to publicly disclose compliance status as determined by these audits.
  3. Increased Accountability and Penalties—HISAA would implement significant penalties for non-compliance and would require healthcare executives to certify compliance on an annual basis. False information in such certifications could result in criminal charges, including fines of up to $1 million and prison time for up to 10 years. HISAA would also eliminate fine caps to allow HHS to impose penalties commiserate with the level needed to deter lax behaviors, especially among larger healthcare organizations.
  4. Financial Support for Enhancements—Because the costs for new standards could be substantial, especially for smaller organizations, HISAA would allocate $1.3 billion to support hospitals for infrastructure enhancements. Of this $1.3 billion, $800 million would be for rural and safety net hospitals over the first two years, and an additional $500 million would be available for all hospitals in succeeding years.
  5. Medicare Payment Adjustments—Finally, HISAA enables the Secretary of HHS to provide accelerated Medicare payments to organizations impacted by cybersecurity events. HHS offered similar accelerated payments during the Change Healthcare event, and HISAA would codify similar authority to HHS for recovery periods related to future cyberattacks.

While HISAA will establish a baseline of cybersecurity requirements, compliance with those requirements will require a significant investment of time and resources in devices and operating systems/software, training, and personnel. Even with the proposed funding, this could result in substantial challenges for smaller and rural facilities to comply. Moreover, healthcare providers will need to prioritize items such as encryption, multi-factor authentication, real-time monitoring, comprehensive response and remediation plans, and robust training and exercises to support compliance efforts.

Finally, at this juncture, the more important issue is for healthcare organizations to recognize their responsibilities in maintaining effective cybersecurity practices and to stay updated on any potential changes to these requirements. Since HISAA was introduced in the latter days of a hectic (and historic) election season, we will monitor its progress as the current Congress winds down in 2024 and the new Congress readies for action with a new administration in 2025.

© 2024 Winstead PC.
For more on HIPAA, visit the NLR Health Law Managed Care section

No More Fraud Vampires: Whistleblowers Put a Stake in Phlebotomy Unlawful Kickback Scheme

31 October 2024. Two whistleblowers “stopped the bleeding” caused by an alleged kickback scheme perpetrated by a mobile phlebotomy service based in California. Veni-Express, Inc. and its owners have agreed to pay $135,000 to settle allegations of violating the Anti-Kickback Statute and False Claims Act. While the award for the two whistleblowers has not yet been determined, False Claims Act qui tam whistleblowers may be rewarded between 15-25% of the settlement.

Overview of the Case

According to the allegations, from 2015 to 2019, Veni-Express allegedly submitted false claims to federal health care programs for services that were not actually performed. These services included venipuncture procedures during homebound patient visits and non-reimbursable travel mileage claims for the visits. The fraudulent activities were reportedly conducted with the oversight of the company’s owners, Myrna and Sonny Steinbaum.

Additionally, between July 2014 and June 2015, Veni-Express allegedly paid unlawful kickbacks to Altera Laboratories, also known as Med2U Healthcare LLC, to market their services. These kickbacks were disguised as a percentage of company revenue.

Unlawful Kickbacks and Phantom Billing

The Anti-Kickback Statute (AKS) is a federal law that prohibits healthcare providers from offering, soliciting, or receiving anything of value to induce or reward referrals for services covered by federally funded healthcare programs, such as Medicare and Medicaid. When providers violate the AKS, they compromise patient care by prioritizing financial gain over medical necessity, which can lead to unnecessary, costly, or substandard treatments. Phantom billing, which involves charging Medicare and Medicaid for services never provided, drains funds that could otherwise be used for essential care for beneficiaries. It leads to increased healthcare costs, putting a strain on federally funded healthcare programs and potentially causing cuts or restrictions in services. This fraudulent practice also erodes trust in the healthcare system, which can prevent beneficiaries from seeking the care they need. As the Special Agent in Charge for the Department of Health and Human Services Office of the Inspector General said about the case, “Improper incentives and billing Medicare for services never actually provided divert taxpayer funding meant to pay for medically necessary services for Medicare enrollees.”

Settlement Details

The settlement agreement is based upon the parties’ ability to pay, requiring Veni-Express to pay $100,000, with additional payments contingent upon the sale of company property. Myrna Steinbaum will pay $25,000, while Sonny Steinbaum will contribute $10,000.

Whistleblower Involvement

The whistleblowers in the qui tam actions were a former phlebotomist and a laboratory technical director. The qui tam provision in the False Claims Act allows private citizens with knowledge of fraud to report fraud schemes to the government and share in the government’s recovery.

Implications for Healthcare Professionals

This whistleblower settlement serves as a cautionary tale for healthcare professionals, emphasizing the need for strict adherence to regulatory standards. It underscores the power industry insiders have to speak up and put an end to fraud schemes that taint the healthcare profession.

© 2024 by Tycko & Zavareei LLP
For more on Whistleblowers, visit the NLR Criminal Law Business Crimes section.

Mental Health Parity and Addiction Equity Act Final Rules (“Final Rules”) Are Released: Plans and Issuers Must Prepare for January 1, 2025 Effective Date (US)

The long-awaited Final Rules amending the Mental Health Parity and Addiction Equity Act (“MHPAEA”) were released on September 9, 2024, with the bulk of the requirements going into effect on January 1, 2025. As we previously reported here, in August 2023, the Departments of Labor, Health and Human Services (“HHS”) and Treasury (together, the “Departments”) published proposed rules further regulating insurance coverage for treatment for mental health and substance use disorders. Although the Final Rules appear less burdensome than the proposed rules, they do impose significant changes to the obligations of group health plans and health insurance issuers with a short time to achieve compliance. The key provisions are summarized below.

Key Changes in the Final Rules

The Final Rules’ stated intent is to “strengthen consumer protections consistent with MHPAEA’s fundamental purpose,” which includes reducing burdens on access to benefits for individuals in group health plans or with group or individual health insurance coverage seeking treatment for mental health and substance use disorders (“MH/SUD”) as compared to accessing benefits for the treatment of medical/surgical (“M/S”) conditions.

The Final Rules purport to achieve that goal through four key changes to the MHPAEA:

  • Mandating content requirements for performing a comparative analysis of the design and application of each non-quantitative treatment limitation (“NQTL”) applicable to MH/SUD benefits.
  • Setting forth design and application requirements and relevant data evaluation requirements to ensure compliance with NQTL rules.
  • Increasing scrutiny of network adequacy for MH/SUD benefits.
  • Introducing core treatment coverage requirements to the meaningful benefit standard.

Comparative Analysis Content Requirements

Since 2021, insurance plans and issuers offering plans that cover both M/S and MH/SUD benefits and impose NQTLs on MH/SUD benefits must have a written comparative analysis demonstrating that the factors used to apply an NQTL to MH/SUD benefits are comparable to and applied no more stringently than those used to apply that same NQTL to M/S benefits, as set forth in the 2021 Consolidated Appropriations Act (“CAA”). The Final Rules expand upon the NQTL analysis required by the CAA and include six specific content elements:

  1. a description of the NQTL;
  2. identification and definition of the factors and evidentiary standards used to design or apply the NQTL;
  3. a description of how factors are used in the design or application of the NQTL;
  4. a demonstration of comparability and stringency, as written;
  5. a demonstration of comparability and stringency, in operation, including the required data, evaluation of that data, explanation of any material differences in access, and description of reasonable actions taken to address such differences; and
  6. findings and conclusions.

Upon request, plans and issuers must provide written comparative analyses to U.S. regulators, plan beneficiaries, participants, or enrollees who have received an adverse benefit determination related to MH/SUD benefits, and participants and beneficiaries in plans governed by ERISA at any time. Plans and issuers only have 10 business days to respond to a request from the relevant Secretary to review its comparative analyses and, if an initial determination of noncompliance is made, the plan or issuer only has 45 calendar days to respond with specific actions it will take to bring the plan into compliance and provide additional comparative analyses that demonstrate compliance. Upon a final determination of noncompliance, notice must be given to all participants, beneficiaries, and enrollees within seven business days after the relevant Secretary’s determination.

Demonstrating Compliance with NQTL Rules

The Final Rules also require that a NQTL applicable to MH/SUD benefits in a classification is no more restrictive than the predominant NQTL applied to M/S benefits in the same classification. In order to ensure compliance with NQTL rules, plans and issuers must satisfy two sets of requirements: (1) the design and application requirements, and (2) the relevant data evaluation requirements. For example, under the design and application requirements, a plan cannot reimburse non-physician providers of MH/SUD services by reducing the rates for physician providers of MH/SUD services unless it applies the same reduction to non-physician providers of M/S services from the rate for physician providers of such services. Under the relevant data evaluation requirements, to compare the impact of NQTLs related to network composition on access to MH/SUD versus M/S benefits, a plan should evaluate metrics relating to the time and distance from plan participants and beneficiaries to network providers, the number of network providers accepting new patients, provider reimbursement rates, and in-network and out-of-network utilization rates.

Design and Application

Plans and issuers must examine the factors used to design and apply an NQTL to MH/SUD benefits to ensure such factors are comparable to those used with respect to M/S benefits in the same classification. The Final Rules also prohibit using information that discriminates against MH/SUD benefits as compared to M/S benefits, meaning information that systematically disfavors or was specifically designed to disfavor access to MH/SUD benefits. Appropriate information and other factors to use in designing and applying an NQTL to MH/SUD benefits include generally recognized independent professional medical or clinical standards.

Relevant Data Evaluation

The relevant data evaluation requirement means plans and issuers must collect and evaluate data to ensure, in operation, that an NQTL applicable to MH/SUD benefits is not more restrictive than the NQTL applied to M/S benefits in the same classification. The Final Rules anticipate that the relevant data for any given NQTL will depend on the facts and circumstances and provide flexibility for plans to determine what should be collected and evaluated. Examples of relevant data provided in the Final Rules include the number and percentage of claim denials, utilization rates, and network adequacy rates.

Network Adequacy

The Final Rules demonstrate the Departments’ increased scrutiny of network adequacy issues for MH/SUD benefits. For NQTLs related to network composition standards, a plan or issuer must collect data to assess the NQTLs’ aggregate impact on access to MH/SUD benefits and M/S benefits. By way of example, suppose the evaluated data suggests that an NQTL contributes to a material difference in access to MH/SUD benefits compared to M/S benefits. In that case, plans and issuers must act to address any material differences in access. The Final Rules provide examples of reasonable compliance actions, including increased recruiting efforts for MH/SUD providers, expanding telehealth options under the plan, and ensuring that provider directories are accurate and reliable. A plan must document the actions that it takes to address differences in access to in-network MH/SUD providers as compared to in-network M/S providers.

Meaningful Benefit Standard

The Final Rules require plans to provide “meaningful” benefits for MH/SUD disorders in every classification in which the plan provides M/S benefits. Benefits are “meaningful,” for MHPAEA purposes, when they cover core treatments for that condition, meaning a standard treatment or course of treatment, therapy, service, or intervention indicated by generally recognized independent standards of current medical practice.

The Final Rules provide examples to demonstrate the application of the meaningful benefits standard. In one example, a plan covers the full range of outpatient treatments (including core treatments) and treatment settings for M/S benefits when provided on an out-of-network basis. The same plan covers outpatient, out-of-network developmental screenings for a mental health condition but excludes all other benefits, such as therapeutic intervention, for outpatient treatment when provided on an out-of-network basis. The Departments view therapeutic intervention, however, as a core treatment for the mental health condition under generally recognized independent standards of current medical practice. Per the Final Rules, the Departments interpret such exclusion as a violation because the plan does not cover a core treatment for the mental health disorder in the outpatient, out-of-network classification. Since the plan’s coverage for M/S benefits includes a core treatment in the classification, the Final Rules opine that the plan fails to provide meaningful benefits for treatment of the mental health disorder.

Effective Dates

The new requirements of the Final Rules will go into effect on different dates. Plans and issuers have until January 1, 2026, to comply with the meaningful benefits standard, the prohibition on discriminatory factors and evidentiary standards, the relevant data evaluation requirements, and the related requirements in the provisions for comparative analyses. During this time, plans and issuers should assess whether their mental health provider networks are adequate, and also consider expanding the scope of MH/SUD benefits across classifications to meet new parity requirements.

The other requirements, including most of the new requirements affecting comparative analyses, go into effect on January 1, 2025. Accordingly, plans and issuers should the time remaining this year to develop a plan to prepare NQTL comparative analyses within the three-month compliance period, and have processes in place to quickly address any material changes to benefit design in the future.

© Copyright 2024 Squire Patton Boggs (US) LLP
For more on MHPAEA, visit the NLR Health Law Managed Care section.

Application of New Mental Health Parity Rules to Provider Network Composition and Reimbursement: Perspective and Analysis

On September 23, 2024, the U.S. Departments of Labor, the Treasury, and Health and Human Services (collectively, the “Departments”) released final rules (the “Final Rules”) that implement requirements under the Mental Health Parity and Addiction Equity Act (MHPAEA).

The primary focus of the Final Rules is to implement new statutory requirements under the Consolidated Appropriations Act of 2021, which amended MHPAEA to require health plans and issuers to develop comparative analyses to determine whether nonquantitative treatment limitations (NQTLs)—which are non-financial restrictions on health care benefits that can limit the length or scope of treatment—for mental health and substance use disorder (MH/SUD) benefits are comparable to and applied no more stringently than NQTLs for medical/surgical (M/S) benefits.

Last month, Epstein Becker Green published an Insight entitled “Mental Health Parity: Federal Departments of Labor, Treasury, and Health Release Landmark Regulations,” which provides an overview of the Final Rules. This Insight takes a closer look at the application of the Final Rules to NQTLs related to provider network composition and reimbursement rates.

Provider Network Composition and Reimbursement NQTL Types

A key focus of the Final Rules is to ensure that NQTLs related to provider network composition and reimbursement rates do not impose greater restrictions on access to MH/SUD benefits than they do for M/S benefits.

In the Final Rules, the Departments decline to specify which strategies and functions they expect to be analyzed as separate NQTL types, instead requiring health plans and issuers to identify, define, and analyze the NQTL types that they apply to MH/SUD benefits. However, the Final Rules set out that the general category of “provider network composition” NQTL types includes, but is not limited to, “standards for provider and facility admission to participate in a network or for continued network participation, including methods for determining reimbursement rates, credentialing standards, and procedures for ensuring the network includes an adequate number of each category of provider and facility to provide services under the plan or coverage.”[1]

For NQTLs related to out-of-network rates, the Departments note that NQTLs would include “[p]lan or issuer methods for determining out-of-network rates, such as allowed amounts; usual, customary, and reasonable charges; or application of other external benchmarks for out-of-network rates.”[2]

Requirements for Comparative Analyses and Outcomes Data Evaluation

For each NQTL type, plans must perform and document a six-step comparative analysis that must be provided to federal and state regulators, members, and authorized representatives upon request. The Final Rules divide the NQTL test into two parts: (1) the “design and application” requirement and (2) the “relevant data evaluation” requirement.

The “design and application” requirement, which builds directly on existing guidance, requires the “processes, strategies, evidentiary standards, or other factors” used in designing and applying an NQTL to MH/SUD benefits to be comparable to, and applied no more stringently than, those used for M/S benefits. Although these aspects of the comparative analysis should be generally familiar, the Final Rules and accompanying preamble provide extensive new guidance about how to interpret and implement these requirements.

The Final Rules also set out a second prong to the analysis: the requirement to collect and evaluate “relevant data” for each NQTL. If such analysis shows a “material difference” in access, then the Final Rules also require the plan to take “reasonable” action to remedy the disparity.

The Final Rules provide that relevant data measures for network composition NQTLs may include, but are not limited to:

  • in-network and out-of-network utilization rates, including data related to provider claim submissions;
  • network adequacy metrics, including time and distance data, data on providers accepting new patients, and the proportions of available MH/SUD and M/S providers that participate in the plan’s network; and
  • provider reimbursement rates for comparable services and as benchmarked to a reference standard, such as Medicare fee schedules.

Although the Final Rules do not describe relevant data for out-of-network rates, these data measures may parallel measures to evaluate in-network rates, including measures that benchmark MH/SUD and M/S rates against a common standard, such as Medicare fee schedule rates.

Under the current guidance, plans have broad flexibility to determine what measures must be used, though the plan must ensure that the metrics that are selected reasonably measure the actual stringency of design and application of the NQTL with regard to the impact on member access to MH/SUD and M/S benefits. However, additional guidance is expected to further clarify the data evaluation requirements that may require the use of specific measures, likely in the form of additional frequently asked questions as well as updates to the Self-Compliance Tool published by the Departments to help plans and issuers assess whether their NQTLs satisfy parity requirements.

The Final Rules require plans to look at relevant data for network composition NQTLs in the aggregate—meaning that the same relevant data must be used for all NQTL types (however defined). As such, the in-operation data component of the comparative analysis for network composition NQTLs will be aggregated.

If the relevant data indicates a “material difference,” the threshold for which the plan must establish and define reasonably, the plan must take “reasonable actions” to address the difference in access and document those actions.

Examples of a “reasonable action” that plans can take to comply with network composition requirements “include, but are not limited to:

  1. Strengthening efforts to recruit and encourage a broad range of available mental health and substance use disorder providers and facilities to join the plan’s or issuer’s network of providers, including taking actions to increase compensation or other inducements, streamline credentialing processes, or contact providers reimbursed for items and services provided on an out-of-network basis to offer participation in the network;
  2. Expanding the availability of telehealth arrangements to mitigate any overall mental health and substance use disorder provider shortages in a geographic area;
  3. Providing additional outreach and assistance to participants and beneficiaries enrolled in the plan or coverage to assist them in finding available in-network mental health and substance use disorder providers and facilities; and
  4. Ensuring that provider directories are accurate and reliable.”

These examples of potential corrective actions and related discussion in the Final Rules provide an ambitious vision for a robust suite of strategies that the Departments believe that plans should undertake to address material disparities in access as defined in the relevant data. However, the Final Rules put the onus on the plan to design the strategy that it will use to define “material differences” and remedy any identified disparity in access. Future guidance and enforcement may provide examples of how this qualitative assessment will play out in practice and establish both what the Departments will expect with regard to the definition of “material differences” and what remedial actions they consider to be sufficient. In the interim, it is highly uncertain what the practical impact of these new requirements will be.

Examples of Network Analyses Included in the Final Rules

The Final Rules include several examples to clarify the application of the new requirements to provider network composition NQTLs. Unfortunately, the value of these examples for understanding how the Final Rules will impact MH/SUD provider networks in practice may be limited. As a result, given the lack of detail regarding the complexity of analyzing these requirements for actual provider networks, as well as the fact that the examples fail to engage in any meaningful discussion of where to identify the threshold for compliance with these requirements, it remains to be seen how regulators will interpret and enforce these requirements in practice.

  • Example 1 demonstrates that it would violate the NQTL requirements to apply a percentage discount to physician fee schedule rates for non-physician MH/SUD providers if the same reduction is not applied for non-physician M/S providers. Our takeaways from this example include the following:
    • This example is comparable to the facts that were alleged by the U.S. Department of Labor in Walsh v. United Behavioral Health, E.D.N.Y., No. 1:21-cv-04519 (8/11/21).
    • Example 1 is useful to the extent that it clarifies that a reimbursement strategy that specifically reduces MH/SUD provider rates in ways that do not apply to M/S provider rates would violate MHPAEA. However, such cut-and-dried examples may be rare in practice, and a full review of the strategies for developing provider reimbursement rates is necessary.
  • Example 4 demonstrates that plans may not simply rely on periodic historic fee schedules as the sole basis for their current fee schedules. Here are some key takeaways from this example:
    • Even though this methodology may be neutral and non-discriminatory on its face, given that the historic fee schedules are not themselves a non-biased source of evidence, to meet the new requirements for evidentiary standards and sources, the plan would have to demonstrate that these historic fee schedules were based on sources that were objective and not biased against MH/SUD providers.
    • If the plan cannot demonstrate that the evidentiary standard used to develop its fee schedule does not systematically disfavor access to MH/SUD benefits, it can still pass the NQTL test if it takes steps to cure the discriminatory factor.
    • Example 4 loosely describes a scenario where a plan supplements a historic fee schedule that is found to discriminate against MH/SUD access by accounting for the current demand for MH/SUD services and attracting “sufficient” MH/SUD providers to the network. Unfortunately, however, the facts provided do not clarify what steps were taken to achieve this enhanced access or how the plan or regulator determined that access had become “sufficient” following the implementation of the corrective actions.
  • Example 10 provides that if a plan’s data measures indicate a “material difference” in access to MH/SUD benefits relative to M/S benefits that are attributable to these NQTLs, the plan can still achieve compliance by taking corrective actions. Our takeaways from this example include the following:
    • The facts in this example stipulate that the plan evaluates all of the measure types that are identified above as examples. Example 10 also states that a “material difference” exists but does not identify the measure or measures for which a difference exists or what facts lead to the conclusion that the difference was “material.” To remedy the material difference, this example states that the plan undertakes all of the corrective actions to strengthen its MH/SUD provider network that are identified above as examples and, therefore, achieves compliance. However, this example fails to clarify how potentially inconsistent outcomes across the robust suite of identified measures were balanced to determine that the “material difference” standard was ultimately met. Example 10 also does not provide any details about what specific corrective actions the plan takes or what changes result from these actions.

Epstein Becker Green’s Perspective

The new requirements of the Final Rules will significantly increase the focus of the comparative analyses on the outcomes of the provider network NQTLs. For many years, the focus of the comparative analyses was primarily on determining whether any definable aspect of the plan’s provider contracting and reimbursement rate-setting strategies could be demonstrated to discriminate against MH/SUD providers. The Final Rules retain those requirements but now put greater emphasis on the results of network composition activities with regard to member access and require plans to pursue corrective actions to remediate any material disparities in that data. This focus on a robust “disparate impact” form of anti-discrimination analysis may lead to a meaningful increase in reimbursement for MH/SUD providers or other actions to more aggressively recruit them to participate in commercial health plan networks.

However, at present, it remains unclear which measures the Departments will ultimately require for reporting. Concurrent with the release of their Notice of Proposed Rulemaking on July 23, 2023, the Departments published Technical Release 2023-01P to solicit comments on key approaches to evaluating comparability and stringency for provider network access and reimbursement rates (including some that are referenced as examples in the Final Rules). Comments to the Technical Release highlighted significant concerns with nearly all of the proposed measures. For example, proposals to require analysis of MH/SUD and M/S provider reimbursement rates for commercial markets that are benchmarked to Medicare fee schedules in a simplistic way may fail to account for differences in population health and utilization, value-based reimbursement strategies, and a range of other factors with significant implications for financial and clinical models for both M/S and MH/SUD providers. Requirements to analyze the numbers or proportions of MH/SUD and M/S providers that are accepting new patients may be onerous for providers to report on and for plans to collect and may obscure significant nuances with regard to wait times, the urgency of the service, and the match between the provider’s training and service offerings to the patient’s need. Time and mileage standards highlighted by the Departments not only often fail to capture important access challenges experienced by patients who need MH/SUD care from sub-specialty providers or facilities but also fail to account for evolving service delivery models that may include options such as mobile units, school-based services, home visits, and telehealth. Among the measures identified in the Technical Release, minor differences in measure definitions and specifications can have significant impacts on the data outcomes, and few (if any) of the proposed measures have undergone any form of testing for reliability and validity.

Also, it is still not clear where the Departments will draw the lines for making final determinations of noncompliance with the Final Rules. For example, where a range of different data measures is evaluated, how will the Departments resolve data outcomes that are noisy, conflicting, or inconclusive? Similarly, where regulators do conclude that the data that are provided suggest a disparity in access, the Final Rules identify a highly robust set of potential corrective actions. However, it remains to be seen what scope of actions the Departments will determine to be “good enough” in practice.

Finally, we are interested in seeing what role private litigation will play in driving health plan compliance efforts and practical impacts for providers. To date, plaintiffs have found it challenging to pursue litigation on the basis of claims under MHPAEA, due in part to the highly complex arguments that must be made to evaluate MHPAEA compliance and in part to the challenge for plaintiffs to have adequate insight into plan policies, operations, and data across MH/SUD and M/S benefits to adequately assert a complaint under MHPAEA. Very few class action lawsuits or large settlements have occurred to date. These challenges for potential litigants may continue to limit the volume of litigation. However, to the extent that the additional guidance in the Final Rules does give rise to an uptick in successful litigation, it is possible that the courts may end up having a greater impact on health plan compliance strategies than regulators.

ENDNOTES

[1] 26 CFR 54.9812- 1(c)(4)(ii)(D), 29 CFR 2590.712(c)(4)(ii)(D), and 45 CFR 146.136(c)(4)(ii)(D).

[2] 26 CFR 54.9812- 1(c)(4)(ii)(E), 29 CFR 2590.712(c)(4)(ii)(E), and 45 CFR 146.136(c)(4)(ii)(E).

©2024 Epstein Becker & Green, P.C. All rights reserved.
For more on Mental Health, visit the NLR Health Law Managed Care section

BIOSECURE Act: Anticipated Movement, Key Provisions, and Likely Impact

Last night, the House of Representatives passed the BIOSECURE Act (BIOSECURE or the Act) by a bipartisan vote of 306 to 81.

The BIOSECURE Act prohibits federal agencies from procuring or obtaining any biotechnology equipment or service produced or provided by a biotechnology company of concern. Subject to some exceptions, it also prohibits federal agencies from contracting with a company that uses equipment or services produced or provided by a biotechnology company of concern. Further, the Act prohibits recipients of a loan or grant from a federal agency from using federal funds to purchase equipment or services from a biotechnology company of concern.

The Senate version of BIOSECURE, sponsored by Sens. Gary Peters (D-MI) and Bill Hagerty (R-TN), was voted out of the Senate Committee on Homeland Security and Governmental affairs with bipartisan support in March 2024. Given its passage in the House last night, the BIOSECURE Act is likely to be signed into law by the end of the year. The House version of BIOSECURE is likely to be the version that becomes law. President Biden is unlikely to veto the Act given its bipartisan support, his previous executive actions to support domestic biotechnology development, and his Administration’s approach towards competition with China.

The Act defines “biotechnology company of concern” as any entity that:

  • is subject to the jurisdiction, direction, control, or operates on behalf of the government of a foreign adversary (defined as China, Cuba, Iran, North Korea, and Russia);
  • is involved in the manufacturing, distribution, provision, or procurement of a biotechnology equipment or service; and
  • poses a risk to U.S. national security based on:
    • engaging in joint research with, being supported by, or being affiliated with a foreign adversary’s military, internal security forces, or intelligence agencies;
    • providing multiomic data obtained via biotechnology equipment or services to the government of a foreign adversary; or
    • obtaining human multiomic data via the biotechnology equipment or services without express and informed consent.

Somewhat unusually, the Act names specific Chinese companies as automatically qualifying as “biotechnology companies of concern”:

  • BGI (formerly known as the Beijing Genomics Institute);
  • MGI;
  • Complete Genomics;
  • WuXi AppTec; and
  • WuXi Biologics.

Both categories include any subsidiary, parent, affiliate, or successor entities of biotechnology companies of concern.

The Act also has very broad definitions of “biotechnology equipment or service.” The definition of equipment encompasses any machine, device, or subcomponent, including software that is “designed for use in the research, development, production, or analysis of biological materials.” The definition of services is similarly broad.

The BIOSECURE Act also requires the Office of Management and Budget (OMB) to publish a list of additional biotechnology companies of concern. The list is prepared by the Secretary of Defense in coordination with the Secretaries of the Departments of Health and Human Services, Justice, Commerce, Homeland Security, and State, as well as the Director of National Intelligence and National Cyber Director. This list of companies must be published by OMB within one year of BIOSECURE’s enactment and reviewed annually by OMB in consultation with the other Departments.

Guidance and Regulatory Authorities

OMB is also tasked with developing guidance and has 120 days from enactment of the statute to do so for the named companies. For the list of biotechnology companies of concern, OMB’s guidance must be established within 180 days after the development of the list.

Beyond OMB, the Act requires the Federal Acquisition Regulatory Council to revise the Federal Acquisition Regulation (FAR) to incorporate its prohibitions. The FAR regulations must be issued within one year of when OMB establishes its guidance.

For named companies the Act’s prohibitions are effective 60 days after the issuance of the FAR regulations. For companies placed on the biotechnology company of concern list, the effective date for the Act’s prohibitions is 80 days after the issuance of FAR regulations.

Impact on Existing Business Relationships

In response to stakeholder concerns about disrupting existing commercial relationships and triggering delays in drug development, the House version of the BIOSECURE Act provides a five-year unwinding period for contracts and agreements entered into before the Act’s effective dates. Contracts entered into after the Act’s effective dates do not qualify for the five year unwinding period.

Process for Designating Companies

BIOSECURE specifies the process for designating a biotechnology company of concern. Critically, the Act does not require OMB to notify a company prior to the Department of Defense making the designation. Rather, a company will receive notice that it is being designated and placed on the biotechnology company of concern list. Moreover, the criteria for listing will only be provided “to the extent consistent with national security and law enforcement interests.” Thus, companies may face a circumstance where they are not provided the evidence supporting their designation.

Once a company receives the notice, it will have 90 days to submit information and arguments opposing the listing. The Act does not require a hearing or any formal administrative process. If practicable, the notice may also include steps the company could take to avoid being listed, but it is not required.

Safe Harbor, Waivers and Exceptions

The Act only has one safe harbor for biotechnology equipment or services that were formerly but no longer provided or produced by a biotechnology company of concern. This safe harbor seems intended to allow a biotechnology company of concern to sell their ownership of a product or service to another company without prohibitions applying to the new owner.

Agency heads may waive the Act’s prohibitions on a case-by-case basis, but only with the approval of OMB acting “in coordination with the Secretary of Defense.” Waivers must be reported to Congress within 30 days of being granted. The waiver may last for up to a year with an additional “one time” extension of 180 days allowed if an agency head determines it is “in the national security interests of the United States.” The 180-day extension must be approved by OMB and the agency head must notify and submit a justification to Congress within 10 days of the waiver being granted.

The Act has only two exceptions. First, its prohibitions do not apply to intelligence activities. Second, the prohibitions do not apply to health care services provided to federal employees, members of the armed services, and government contractors who are stationed in a foreign country or on official foreign travel.

Impact and Considerations for Clients

1. Increased Risk of Partnerships with Chinese Companies and Researchers:

Pharmaceutical and biotechnology companies that receive federal funding or contract with federal agencies should be prepared to wind down business ties to biotechnology companies in China. Impacted companies need to begin evaluating the risk to their supply chains, manufacturing capacity, and R&D pipelines in the event a business partner is listed.

Universities in the United States and other research institutes that receive federal funding will also need to undertake a similar assessment of their research partners and collaborators based in China.

2. Loss of CDMO capacity:

Wuxi App Tec is a large, global provider of contract development and manufacturing (CDMO) services to the life sciences industry. According to the New York Times “[b]y one estimate Wuxi has been involved in developing one-fourth of the drugs used in the United States.” BIOSECURE would effectively ban Wuxi from conducting business in the United States, and if passed, risks causing delays, shortages, and cost increases as companies seek to transition to other CDMOs. It will likely take years for competitors to replace the lost CDMO capacity.

3. Fate of Wuxi U.S. Facilities:

Wuxi has a large presence in the United States. It operates 12 facilities and employs almost 2,000 people. Normally, Wuxi would be expected to sell its U.S.-based facilities. However, based on Tiktok’s experience, it is unclear if the Government of China will permit Wuxi to sell its facilities as opposed to dismantling and/or relocating facilities outside of the United States.

4. OMB’s Management of Biotechnology Companies of Concern List

OMB does not typically manage processes like the one envisioned by BIOSECURE. How OMB interprets the broad criteria for listing companies will be critical. Which Departments, beyond the Department of Defense, will have the greatest influence on OMB’s decision making and how open OMB is to evidence from companies seeking to avoid listing will also need to be watched closely. Until OMB starts preparing its guidance and the FAR regulations are proposed, it is hard to anticipate the rate at which new companies will be added to the list. How the process established by BIOSECURE will interact with or leverage existing entity lists will be another development to closely monitor.

5. Retaliation by China

BIOSECURE’s passage is likely to trigger a response from the Government of China. Responses could range from imposing its own export controls to using the country’s sweeping national security laws to harass United States businesses and their employees. Companies doing business in China, particularly those in the pharmaceutical or biotech industries need to be prepared.

© 2024 Foley & Lardner LLP
For more on Biotechnology, visit the NLR Biotech Food Drug section

What Does the End of Chevron Deference Mean for Federal Health Care Programs?

On June 28, 2024, the Supreme Court rejected the doctrine of Chevron deference in the closely watched case of Loper Bright Enterprises v. Raimondo.[1] In a 6-3 decision, the Court held that Chevron’s rule that courts must defer to federal agencies’ interpretation of ambiguous statutes gave the executive branch interpretive authority that properly belonged with the courts. Moreover, the Court concluded that Chevron deference was inconsistent with the Administrative Procedure Act (APA), holding that the APA requires courts to exercise independent judgment when deciding legal issues in the review of agency action.

Loper will have significant and immediate implications for the U.S. Department of Health and Human Services (HHS), the federal agency charged with the administration of the federal health care programs, including Medicare and Medicaid. As detailed below, the Court’s decision sets a more exacting standard for courts to apply when reviewing HHS’s regulations and legal positions.

What Was Chevron Deference?

The doctrine of Chevron deference was established in 1984 by the Supreme Court in Chevron U.S.A., Inc. v. Natural Resources Defense Council, Inc.[2] In that case, the Court held when a “statute is silent or ambiguous with respect to the specific issue” raised regarding a statute that the agency administers, “the question for the court is whether the agency’s answer is based on a permissible construction of the statute.”[3]

Although scholars have debated Chevron’s rationale at length, it generally was read to require deference based upon agencies’ presumed subject matter expertise and an assumption that Congress delegated authority to agencies—rather than courts—to fill in gaps in statutory schemes. Notably, the Supreme Court had not itself invoked Chevron deference since 2016, although lower courts have continued to rely on it regularly.[4]

What Did Loper Decide?

Loper involved two New England fishing companies appealing the D.C. Circuit’s ruling that applied Chevron deference to uphold the National Marine Fisheries Service’s interpretation of the Federal Magnuson-Stevens Act (the “Act”) as requiring fishermen to pay for the use of compliance monitors on certain fishing boats, even though the federal law is silent on who must pay. Petitioners used the case as a vehicle to present a broader challenge to Chevron,arguing that the doctrine has led to excessive deference to federal agencies, resulting in overregulation, the abdication of judicial responsibility to interpret statutes, and the unwarranted imposition of regulatory enforcement costs.

The Loper majority firmly rejected Chevron and held that the APA requires courts to exercise their independent judgment in deciding legal questions that arise in reviewing agency action. As the majority held, “courts need not and under the APA may not defer to an agency interpretation of the law simply because a statute is ambiguous.”[5]

Importantly, however, Loper noted that deference may still be afforded agencies in certain instances. First, the Court observed that the APA expressly mandates a deferential standard of review for agency policy-making and fact-finding.[6] Second, Loper explained that some statutes are best read to “delegate[] discretionary authority to an agency,” in which case a court’s role is to merely ensure the agency “engaged in ‘reasoned decisionmaking’” within that authority.[7] Lastly, Loper reaffirmed that an agency’s “expertise” remains “one of the factors” that may make an agency’s interpretation persuasive.[8]

How Will Loper Impact Federal Health Care Programs?

Loper’s directive that courts should construe statutes independently and not defer to agencies’ positions has enormous implications for providers and suppliers that participate in federal health care programs. Much of today’s health care landscape is governed by HHS’ regulations, impacting many Americans and much of the federal budget. For example, Medicare currently covers more than 67 million beneficiaries, and Medicare spending comprised 12% of the federal budget in 2022 and 21% of national health care spending in 2021.[9]

Federal health care programs like Medicare and Medicaid are established by statutes that set forth myriad requirements regarding the coverage of items and services, and how, when, and by whom those items and services may be furnished.[10] HHS’s various components—most notably the Centers for Medicare and Medicaid Services (CMS)—have issued numerous, detailed regulations to implement these statutes. HHS’s components also include FDA, CDC, HRSA, AHRQ, OCR, NIH, and many others that intersect with health care providers and suppliers regularly.

Going forward under Loper, future challenges to agency regulations will take place upon a much different playing field. This has several important implications:

  • More Legal Challenges: We expect to see more legal challenges brought against HHS’s regulations as they are issued. Loper expressly stated that it “does not call into question prior cases that relied on the Chevron framework,” so prior decisions affirming regulations should be stable.[11] But going forward, Loper means that courts have no “thumb on the scale” in favor of HHS’s legal positions, and so litigants may view Loper as increasing their odds of success. At the same time, this may create more uncertainty for providers and suppliers who must determine how to comply with new regulations under challenge.
  • Less Ability for HHS to Create New Programs or Impose New Requirements: Especially where HHS imposes new substantive requirements that are not clearly authorized by statute, HHS’s regulations may be vulnerable. For example, the challengers to CMS’s minimum-staffing requirements for nursing homes are sure to cite Loper.[12] Likewise, when HHS creates new programs or initiatives by regulation based on broad statutory language (e.g., HHS’s recent creation of rural emergency hospital regulations[13]), the regulations may be more vulnerable to challenges. As another example, legal challenges to FDA’s new rule on Laboratory Developed Tests are pending and will likely invoke Loper.[14]
  • More Incentive to Challenge Reimbursement Rules: Legal challenges are frequently brought to CMS’s rules governing reimbursement, which often have complicated statutory formulas subject to differing interpretations. Whereas in the past, courts often deferred to CMS’s interpretations,[15] Loper now creates more potential for providers and suppliers to seek more favorable legal interpretations to enhance reimbursement.
  • Slower and More Cautious Rulemaking: As HHS promulgates new regulations, it will now have to consider the enhanced litigation risk that Loper creates. This may lead to agencies slowing and proceeding more cautiously in rulemaking as agencies seek to craft defensible regulations.
  • Inconsistent Decisions by Courts: Because Loper directs courts to exercise independent judgment rather than defer to HHS’s interpretations, we expect that courts in different areas of the country may reach differing conclusions regarding HHS regulations. This may make certain geographic locations more advantageous for provider and supplier operations or expansions.

Conclusion

Going forward, courts will be more amenable than ever to siding with challenges to HHS regulations. This creates both challenges and opportunities for providers and suppliers who should carefully assess the legal basis for all new regulations.

The authors acknowledge the contributions of Callie Ericksen, a student at the University of California Davis Law School and 2024 summer associate at Foley & Lardner LLP.

[1] Loper Bright Enterprises v. Raimondo, No. 22-451 (June 28, 2024), together with Relentless, Inc. v. Department of Commerce, No. 22-1219, available here.

[2] 467 U.S. 837 (1984).

[3] Id. at 843 (emphasis added).

[4] See Am. Hosp. Ass’n (“AHA”) v. Becerra, 142 S. Ct. 1896, 1904 (2022) (determining that HHS’s preclusion of judicial review “lacks any textual basis,” remaining silent with respect to Chevron); Becerra v. Empire Health Found., 142 S. Ct. 2354, 2362 (2022) (illustrating that HHS’s reading aligns with the statute’s “text, context, and structure” in calculating the Medicare fraction for purposes of Medicare Part A benefits, without any mention of Chevron); Vanda Pharms., Inc. v. Ctrs. for Medicare & Medicaid Servs.,98 F.4th 483 (2024) (holding that CMS’s definitions of “line-extension” and “new formulation” did not conflict with the Medicaid statute).

[5] Loper Bright Enterprises v. Raimondo, No. 22-451, slip op. 35 (June 28, 2024).

[6] Id. at slip. op. 14 (citing 5 U.S.C. §§ 706(2)(A), (E)).

[7] Id. at slip op. 18.

[8] Id. at slip op. 25 (citing Skidmore v. Swift & Co., 323 U.S. 134 (1944).

[9] See KFF, Medicare 101 (published May 28, 2024), available here.

[10] See 42 U.S.C. §§ 1395–1395lll.

[11] Loper Bright Enterprises v. Raimondo, No. 22-451, slip op. 34 (June 28, 2024).

[12] See Am. Health Care Ass’n v. Becerra, No. 24-cv-114 (N.D. Tex) (challenging the rule issued at 89 Fed. Reg. 40876 (May 10, 2024).

[13] Conditions of Participation, 42 C.F.R. §§ 485.500-485.546 (Subpart E), and Payments, §§ 419.90-419.95 (Subpart J), 87 Fed. Reg. 71748, 72292-93 (Nov. 23, 2022),

[14] 21 C.F.R. § 809, 89 Fed. Reg. 37286 (May 6, 2024).

[15] See, e.g.Baptist Mem’l Hosp. – Golden Triangle, Inc. v. Azar, 956 F.3d 689 (5th Cir. 2020) (deferring to CMS’s rule addressing “costs incurred” for calculating Medicaid Disproportionate Share Hospital payments).

© 2024 Foley & Lardner LLP
For more news on Supreme Court Health Care Decisions, visit the NLR Health Law & Managed Care section.

HHS Publishes Final Rule to Support Reproductive Health Care Privacy

The Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization to eliminate the federal constitutional right to abortion continues to alter the legal landscape across the country. On April 26, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) published the “HIPAA Privacy Rule to Support Reproductive Health Care Privacy” (the “Final Rule”).

The Final Rule—amending the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as well as the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act)—strengthens privacy protections related to the use and disclosure of reproductive health care information. HIPAA’s Privacy Rule limits the disclosure of protected health information (PHI) and is part of HHS’s efforts to ensure that patients will not be afraid to seek health care from, or share important information with, health care providers.

The Final Rule:

  • Prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons for such activities.
  • Requires covered entities and business associates to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for these prohibited purposes.
  • Requires covered entities to modify their NPPs to support reproductive health care privacy.

“Since the fall of Roe v. Wade, providers have shared concerns that when patients travel to their clinics for lawful care, their patients’ records will be sought, including when the patient goes home,” OCR Director Melanie Fontes Rainer said in a news release. OCR administers the Privacy Rule, which requires most health care providers, health plans, health care clearinghouses (“covered entities”) and business associates to safeguard the privacy of PHI.

Commenters to an earlier notice of proposed rulemaking (“2023 NPRM”) raised concerns that PHI related to reproductive health care would be used and disclosed to expose both patients and providers to investigation and liability under state abortion laws, particularly new and revived laws. This Final Rule is intended to prohibit the disclosure of PHI related to lawful reproductive health care—a change from the current Privacy Rule where an entity is generally permitted, but not required, to disclose relevant and material information in a legitimate law enforcement inquiry.

Key Takeaways

New Category of Protected Health Information. The Final Rule changes the HIPAA Privacy Rule by defining a new category of protected health information and adds a new “prohibited use and disclosure” under the HIPAA Privacy Rule at 45 CFR 164.502—mandating that a covered entity or business associate may not use or disclose PHI:

  • To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating “reproductive health care”;
  • To impose criminal, civil, or administrative liability on any “person” for the mere act of seeking, obtaining, providing or facilitating “reproductive health care”; and
  • To identify any “person” for any of those above described purposes.

Prohibition. Under the Final Rule, HIPAA-covered entities and business associates who receive requests for protected health information must make a reasonable determination that one or more of the following conditions exists:

  • The reproductive health care is lawful in the state in which such health care is provided under the circumstances in which it is provided (e.g., if a resident of one state traveled to another state to receive reproductive health care, such as an abortion, that is lawful in the state where such health care was provided).
  • The reproductive health care is protected, required, or authorized by federal law, including the U.S. Constitution, regardless of the state in which such health care is provided (e.g., reproductive health care such as contraception is protected by the Constitution).

Presumption. Such care is presumed lawful unless the HIPAA-covered entity or business associate has

  • actual knowledge that the reproductive care was not lawful under the circumstances it was provided; or
  • factual information supplied by the requester demonstrating a substantial factual basis that the reproductive health care was not lawful under the specific circumstances in which it was provided.

Attestation Requirement. The Final Rule adds 45 CFR § 164.509(c) to require a covered entity or business associate, when it receives a request for PHI potentially related to reproductive health care, to obtain a signed attestation from the requester. However, obtaining the attestation does not relieve a covered entity or business associate from its responsibility to determine whether the reproductive health care that may be the subject of the requested information was lawful. An attestation must contain the following elements:

  • A description of the information requested that identifies the information in a specific fashion, including one of the following:
    • The name(s) of any individual(s) whose protected health information is sought, if practicable;
    • If that name is not practicable, the name(s) or other specific identification of the person(s) or class of person(s) who are requested to make the use or disclosure;
  • The name or other specific identification of the person(s) or class of persons to whom the covered entity is to make the requested use or disclosure;
  • A clear statement that the use or disclosure is not for a purpose prohibited under 45 CFR § 164.502(a)(5)(iii)(i.e., identifying any person under the newly added prohibition);
  • A statement that a person may be subject to criminal penalties if they use or disclose the reproductive health information improperly;
  • Must be in plain language and contain the elements set forth in 45 CFR § 164.509(c) (inclusion of other elements not set forth in 45 CFR § 164.509(c) is prohibited); and
  • Must be signed by the person requesting the disclosure (which may take an electronic format).

The Final Rule prohibits the attestation from being “combined with” any other document (yet allows additional supporting information or documentation needed for the request to be submitted with the attestation (for example, a clearly labelled subpoena). While covered entities can develop their own attestation form, to reduce the compliance burden, HHS plans to publish a model attestation form prior to the compliance date.

Notices of Policy Practices. With the new processes for using and disclosing reproductive health information, covered entities must update their Notices of Privacy Practices (NPPs) required under 45 CFR § 164.520. For purposes of this Final Rule, updates to the NPPs must describe among other things the types and uses of disclosures of PHI that are prohibited under 45 CFR 164.502(a)(5)(iii). The notice should also contain a description of the uses and disclosures for which an attestation is required under the new 45 CFR § 164.509. Further, the Office of Management and Budget’s (OMB’s) Office of Information and Regulatory Affairs determined that this Final Rule meets the criteria in 5 USC § 804(2) for being a major rule because it is projected to have an annualized impact of more than $100,000,000 based on the number of covered entities and business associates that will have to implement these changes.

Practical Implications for HIPAA Covered Entities & Business Associates

Considering the significant changes this Final Rule introduces, there is no time like the present for covered entities and business associates to consider the compliance implications that a new category of PHI will have on existing HIPAA policies and procedures. In addition to developing and/or obtaining new attestation forms, making reasonable determinations of the lawfulness of reproductive health care and updating notices of privacy practices, privacy and security officers will likely need to evaluate the impact these changes will have on the policies that govern data dissemination, and the processes and procedures that may change as well. Covered entities and business associates will also likely want to include these changes into training for employees involved in these activities.

The Final Rule goes into effect on June 25, 2024, with a compliance date of December 23, 2024. The NPP requirements, however, take effect on February 16, 2026—consistent with OCR’s 42 CFR Part 2 Rule of February 16, 2024, so that covered entities regulated under both rules can implement changes to their NPPs at the same time.

HIPAA covered entities and business associates should consider the context and framework of the HIPAA Privacy Rule and these new modifications as they consider third-party requests for any PHI that may include reproductive health information (the current HIPAA Privacy Rule remains in effect until the new rule takes effect). If the new reproductive health prohibition is not applicable, HIPAA covered entities should still consider the fact that HIPAA otherwise permits, but does not require, them to disclose PHI under most of the HIPAA exceptions contained in 45 CFR § 164.512. Therefore, HIPAA affords covered entities the ability to protect the privacy interests of their patients, especially in the current post-Dobbs environment.

Covered entities and business associates now face the challenge of implementing these new requirements and training their workforce members on how to analyze and respond to requests that include reproductive health care information. Questions remain surrounding a covered entity or business associate’s burden of determining that the reproductive health care provided to an individual was in fact lawful. For example, if a complaint follows, does a covered entity have to account for the disclosures that are made? While the Final Rule is gender-neutral, what is the likelihood that it would be applied to men—could it? In any case, we will continue to monitor developments, including questions of how HIPAA and other privacy concerns interact with reproductive health care, in the wake of Dobbs. For more on the subject, please see our past blog on the 2023 proposed rule.

Ann W. Parks contributed to this article.

©2024 Epstein Becker & Green, P.C. All rights reserved.
For more on Reproductive Health Care, visit the NLR Health Law & Managed Care section.