HHS
Subscribe to HHS's Posts

Avoiding Confusion Over State Licensing Laws as CMS Further Loosens Telemedicine Restrictions

The Centers for Medicare & Medicaid Services (CMS) continues to loosen the conditions for participation in Medicare, as well as specific reimbursement requirements, to ensure facilities and practitioners are able to practice at the top of their license and across state lines without jeopardizing Medicare reimbursement. Unfortunately, as demonstrated when CMS took similar actions over the past few weeks in response to the Coronavirus (COVID-19) pandemic, headlines tend to overlook one fundamental component of the applicable regulatory regime: state law requirements.

Unlike the Veterans Affairs Administration’s (VA’s) action a few years ago, which preempted state licensing law for purposes of implementing a VA telemedicine program, the Department of Health and Human Services has limited its actions during the COVID-19 pandemic to modifications of federal regulations and rules.  Secretary Alex Azar, in a letter to the Governors, instead encouraged the states to take action themselves to similarly loosen state laws to ensure maximum utilization of resources.  The states have been doing so, in some instances since early March, with different approaches. These differences stem from a large number of variables that are implicated by state licensure laws.

Key Takeaways: The practical implication for the provider community is that new standards for Medicare need to be adopted in harmony with existing state laws requirements, which, unfortunately, are not uniform across the country.  Nevertheless, nearly every state has taken action to loosen cross-border licensing restrictions for healthcare professionals and have modified other rules and regulations to help protect healthcare workers, maximize their numbers and help them practice at the highest level of their experience and training.  There is a national movement in this direction, but it remains a patchwork.

For a deeper dive into telemedicine regulations during the COVID-19 pandemic, visit our Coronavirus Resource Center, which features articles, webinar recordings and videos on the telemedicine issues you need to know.




read more

The RUSH Act – Another Advancement in Telehealth Acceptance?

As previously noted in our Digital Health Mid-Year Review, 2018 has seen greater acceptance of telemedicine within the Medicare program. Both regulatory and statutory changes have expanded reimbursement opportunities and, consequentially, opportunities for the deployment of telemedicine technologies. As we noted then, however, improvement in the Medicare reimbursement environment for telemedicine services has been tied to a policy goal of not increasing utilization unnecessarily. We noted in our Mid-Year Review that Congress appears to be following MedPac’s recent guidance that Congress “should take a measured approach to further incorporating telehealth into Medicare by evaluating individual telehealth services to assess their capacity to address. . . cost reduction, access expansion, and quality improvement.”

The recently introduced Reducing Unnecessary Senior Hospitalizations Act of 2018 (the RUSH Act), seems to deviate from MedPac’s suggested approach. The RUSH Act seeks to avoid hospitalizations through a program that creates financial incentives for providing certain nonsurgical services furnished by hospital emergency departments at skilled nursing facilities that are qualified to provide such services by the Secretary of Health and Human Services The RUSH Act specifically refers to the possibility that some of these services could be provided by licensed practitioners “through the use of telehealth.” Interestingly, the RUSH Act does not specify what telehealth services should be allowable or how they should be reimbursed; rather, the RUSH Act leaves these matters for agency determination.

According to Representative Diane Black (TN), one of the bill’s sponsors, “[t]here are companies who are ready and able to provide this innovative care. . . . These positive disruptors just need Medicare’s payment policies to catch up with the technology. . . giving [nursing homes] the technology-enabled tools needed to lower health care costs and, most importantly, save lives.”

As an observer of this industry, I tend to agree with this claim, but under the approach taken by this bill, that determination will need to be made by the Department of Health and Human Services. Digital health companies looking for a better reimbursement environment are well-advised to focus on the bottom line of federal health policy–lower cost, improved care and increased access.




read more

False Claims Act Settlement with eClinicalWorks Raises Questions for Electronic Health Record Software Vendors

On May 31, 2017, the US Department of Justice announced a Settlement Agreement under which eClinicalWorks, a vendor of electronic health record software, agreed to pay $155 million and enter into a five-year Corporate Integrity Agreement to resolve allegations that it caused its customers to submit false claims for Medicare and Medicaid meaningful use payments in violation of the False Claims Act.

Read the full article.




read more

Recent $2.5 Million OCR Settlement Is a Warning to Wireless Health Service Providers

On April 24, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement in the amount of $2.5 million based on the impermissible disclosure of unsecured electronic protected health information (ePHI) by a provider of remote mobile monitoring, with a focus on patients who are at risk for cardiac arrhythmias.

In January 2012, the remote monitoring company reported that a workforce member’s laptop containing the ePHI of over a thousand individuals was stolen from a parked vehicle outside of the employee’s home. A little over one year later, the same company reported a second breach that compromised the ePHI of twice as many individuals (details regarding this breach were not provided by OCR).

OCR’s investigation revealed that the company allegedly had insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, the company’s draft policies and procedures implementing the standards of the HIPAA Security Rule had never been implemented, and the company was also unable to produce final versions of any policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

(more…)




read more

What You Need to Know about Changes to the Common Rule

The Final Rule published by the US Department of Health and Human Services on January 18, 2017, largely avoids major modifications to the Common Rule. However, it specifically addresses creation of biospecimen and data repositories and use of those repositories for secondary research. All stakeholders involved in federally funded research should be aware of the Final Rule’s changes and prepare to implement them.

Read the full article here.




read more

HHS Finalizes Overhaul of Federal Human Subjects Research Protections

On January 18, 2017, the Department of Health and Human Services (HHS) and 15 other federal agencies issued a final rule overhauling the federal human subjects research regulations known as the “Common Rule.” These are the first revisions to the Common Rule since its original enactment in 1991, and have been in progress since HHS first published an Advanced Notice of Proposed Rulemaking in July 2011. According to the press release accompanying the final rule, HHS made “significant changes” to its most recent proposals (published in September 2015) in response to the 2,100+ public comments they received.

The majority of the Common Rule’s changes and new provisions will go into effect in 2018. We are reviewing the final rule in detail, and a summary of changes and new provisions is forthcoming.




read more

OMB Reviewing Common Rule Overhaul

On January 4, 2017, the Department of Health and Human Services (HHS) submitted a draft final rule to amend the federal human research regulations to the Office of Management and Budget (OMB). These regulations, often referred to as the Common Rule, were originally developed in 1991 and have been adopted by multiple federal departments and agencies. OMB review is the last step before final publication and suggests that HHS is trying to release a final rule before President Obama leaves office on January 20, 2017.

Through its Office for Human Research Protections (OHRP), HHS initially published an Advanced Notice of Proposed Rulemaking in July 2011. The Advanced Notice generated significant controversy and OHRP did not publish a notice of proposed rulemaking (Proposed Rule) for over four years, ultimately doing so on September 8, 2015. The Proposed Rule, like its earlier Advanced Notice counterpart, suggested major changes to the Common Rule, including changes to its overall jurisdictional scope, requirements relating to secondary use of biospecimens and individually identifiable information, and the general research review and oversight process.

Since the Proposed Rule’s publication, OHRP has received significant feedback from both industry and expert advisory groups about the proposed changes and their overall impact. While certain proposed changes have been applauded, the Proposed Rule has also generated considerable concern and uncertainty among stakeholders.

The current status of OMB’s review is pending.




read more

Guidance on Ransomware Attacks under HIPAA and State Data Breach Notification Laws

On July 28, 2016, US Department of Health and Human Services (HHS) issued guidance (guidance) under the Health Insurance Portability and Accountability Act (HIPAA) on what covered entities and business associates can do to prevent and recover from ransomware attacks. Ransomware attacks can also trigger concerns under state data breach notification laws.

The HIPAA Security Rule requires covered entities and business associates to implement security measures. It also requires covered entities and business associates to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI) the entities create, receive, maintain or transmit and to implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level. The HIPAA Security Rule establishes a floor for the security of ePHI, although additional and/or more stringent security measures are certainly permissible and may be required under state law. Compliance with HIPAA’s existing requirements provides covered entities and business associates with guidance on how to prevent and address breaches that compromise protected health information. The new HIPAA guidance specific to ransomware reinforces how the existing requirements can help an entity protect sensitive information.

Read the full article here.




read more

Pressure Points: OCR Enforcement Activity in 2014

During 2014, the Office for Civil Rights (OCR) of the U.S. Department of Health & Human Services initiated six enforcement actions in response to security breaches reported by entities covered by the Health Insurance Portability and Accountability Act (HIPAA) (covered entities), five of which involved electronic protected health information (EPHI).  The resolution agreements and corrective action plans resolving the enforcement actions highlight key areas of concern for OCR and provide the following important reminders to covered entities and business associates regarding effective data protection programs.

  1. Security risk assessment is key.

OCR noted in the resolution agreements related to three of the five security incidents, involving QCA Health Plan, Inc., New York and Presbyterian Hospital (NYP) and Columbia University (Columbia), and Anchorage Community Mental Health Services (Anchorage), that each entity failed to conduct an accurate and thorough assessment of the risks and vulnerabilities to the entity’s EPHI and to implement security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level.  In each case, the final corrective action plan required submission of a recent risk assessment and corresponding risk management plan to OCR within a relatively short period after the effective date of the resolution agreement.

      2.  A risk assessment is not enough – entities must follow through with remediation of identified threats and vulnerabilities.

In the resolution agreement related to Concentra Health Services (CHS), OCR noted that although CHS had conducted multiple risk assessments that recognized a lack of encryption on its devices containing EPHI, CHS failed to thoroughly implement remediation of the issue for over 3-1/2 years.

      3.  System changes and data relocation can lead to unintended consequences. 

In two of the cases, the underlying cause of the security breach was a technological change that led to the public availability of EPHI.  A press release on the Skagit County incident notes that Skagit County inadvertently moved EPHI related to 1,581 individuals to a publicly accessible server and initially reported a security breach with respect to only seven individuals, evidentially failing at first to identify the larger security breach.  According to a press release related to the NYP/Columbia security breach, the breach was caused when a Columbia physician attempted to deactivate a personally-owned computer server on the network, which, due to lack of technological safeguards, led to the public availability of certain of NYP’s EPHI on internet search engines.

      4.  Patch management and software upgrades are basic, but essential, defenses against system intrusion.

OCR noted in its December 2014 bulletin on the Anchorage security breach (2014 Bulletin) that the breach was a direct result of Anchorage’s failure to identify and address basic security risks. For example, OCR noted that Anchorage did not regularly update IT resources with available patches [...]

Continue Reading




read more

STAY CONNECTED

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021
U.S. News Law Firm of the Year 2022 Health Care Law