The US Departments of the Treasury, Labor, and Health and Human Services (the Departments) recently issued much-anticipated proposed regulations under the Mental Health Parity and Addiction Equity Act (MHPAEA) to better ensure that health plans allow access to mental health or substance use disorder benefits as easily as medical or surgical benefits. The proposed regulations reiterate the Departments’ focus on mental health parity and underscore the importance of compliance for health plan sponsors. They also come after many plans have been subject to audit by the Departments which focused heavily on MHPAEA compliance, leaving plan sponsors frustrated at the lack of guidance and inconsistent application of MHPAEA.
Companies are taking a fresh look at their privacy policies in the wake of Dobbs v. Jackson Women’s Health Organization. According to this Law360 article, policymakers are putting more pressure on companies to tighten their restrictions on collecting and disclosing personal health and location data.
The US Department of Health and Human Services Office for Civil Rights (OCR) recently announced a settlement with a community hospital resolving an investigation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules. While the settlement involved a medical provider, it offers some important lessons for other HIPAA-covered entities, including employer-sponsored group health plans.
The settlement involved impermissible data breaches by non-medical staff who, allegedly, used their login credentials to access patient medical records maintained in the hospital’s electronic medical record system without a job-related purpose. The lesson here is straightforward: all HIPAA-covered entities must “protect the privacy and security of health information.”
The HIPAA privacy and security rules are complex, and full compliance requires substantial resources that are, as a practical matter, beyond the reach of many organizations. While OCR routinely refers to these rules as “scalable,” that claim is difficult to square with our experience. Full compliance with the particulars of the rule is costly and time-consuming, and it requires no shortage of expertise. Thankfully, in practice, OCR tends to focus its investigative resources on certain features of these rules. These features include the following items which covered entities must perform to comply:
- Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic protected health information;
- Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis;
- Develop, maintain and revise, as necessary, written HIPAA policies and procedures;
- Enhance HIPAA and security training programs to provide workforce training on the updated HIPAA policies and procedures; and
- Review relationships with vendors and third-party service providers to identify business associates and obtain business associate agreements with business associates if not already in place.
Where group health plans are concerned, fully insured plans routinely rely on their carriers for HIPAA compliance, which requires that plan sponsors get only “summary” health information at renewal. This option is not available to self-funded plans, however, even those that contract with a carrier for administrative services. Employers in this latter category should be reasonably confident of surviving an OCR audit or investigation only, at a minimum, by taking the actions listed above.
The US Department of Health and Human Services Office of the Inspector General (HHS OIG) recently unveiled a new toolkit that seeks to help analyze telehealth claims for federal healthcare program integrity risks. It is based on methodologies highlighted in OIG’s September 2022 data brief; the data brief identified billing practices by Medicare providers that OIG was concerned posed a high risk to program integrity. OIG intends for the toolkit to be used by public and private parties—including Medicare Advantage plan sponsors, private health plans, State Medicaid Fraud Control Units and other federal healthcare agencies—to assess program integrity risks and identify providers whose billing may warrant further scrutiny.
Medicare Advantage (MA) plans are facing both regulatory and business risks following the conclusion of the COVID-19 Public Health Emergency (PHE). What are the major MA flexibilities and requirements related to the pandemic, and have they ended along with the PHE?
The Biden administration has announced that the federal government will wind down its remaining COVID-19 vaccination mandates (including those for federal workers, contractors and international air travelers) effective May 11, 2023. This action coincides with the conclusion of the COVID-19 public health emergency (PHE). Additionally, the US Department of Health and Human Services (HHS) will initiate steps to terminate the vaccination prerequisites for healthcare facilities that are certified by the Centers for Medicare & Medicaid Services (CMS).
We expect to see continued focus on privacy and security at the federal and state level. For example, California, Virginia, Colorado, Utah and Connecticut have new privacy laws coming into effect in 2023. As part of our State Law Privacy Video Series, McDermott described how these laws will affect health data and healthcare entities—in particular, those entities that are regulated by HIPAA.
In addition, at the end of 2022, the US Department of Health and Human Services (HHS) proposed long-awaited changes to the regulations protecting the confidentiality of substance-use disorder patient records under Part 2 of Title 42 of the Code of Federal Regulations (42 CFR Part 2, or Part 2). Specifically, the proposed rule would implement provisions of Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), which required HHS to align Part 2 with certain provisions of HIPAA and to make certain changes to the HIPAA Notice of Privacy Practices, the form given to patients and plan members that describes patient privacy rights, covered entity duties, and the covered entity’s uses and disclosures of protected health information.
On January 25, 2023, the US Department of Health and Human Services (HHS) announced that more than 16.3 million people nationwide selected an ACA Marketplace health plan during the 2023 open enrollment period that ran from November 1, 2022, until January 15, 2023, for most marketplaces.
According to HHS, total plan selections include 3.6 million people who are new to the marketplaces for 2023 (22% of the total). The 3.6 million figure is a 21% increase in new-to-marketplace plan selections over last year.
The data included in HHS’s January 25 announcement represents activity through January 15 for the 33 marketplaces using HealthCare.gov, and through January 14 or 15 for the 18 state-based marketplaces in 17 states and the District of Columbia that use their own eligibility and enrollment platforms. Some state-based marketplaces are still in open enrollment and will report updated enrollment data after that period closes. A fact sheet on state-based marketplace open enrollment deadlines can be found here.
The Biden administration recently proposed revising the process behind an outlet for pharmaceutical companies to resolve price fights for those participating in the 340B drug discount program. According to this Bloomberg article, disputes between providers and pharmaceutical companies were in limbo as the industry waited for the Biden administration to replace an administrative dispute resolution (ADR) board. McDermott Partner Emily J. Cook said the proposed US Department of Health and Human Services rule ushers in “some significant changes” from the prior ADR process.
On November 15, the Senate approved a resolution to end the national emergency concerning COVID-19 declared by the president on March 13, 2020. The resolution was approved by a bipartisan vote of 62–36, with 13 Democrats joining all present Republicans in voting for the resolution.
While ending the national emergency is different than ending the public health emergency (PHE), which is declared by the US Department of Health and Human Services (HHS), the two are related, as the PHE must be tied to another declaration. Should the national emergency declaration end (as intended in this Senate resolution), most current waivers would terminate. There are notable exceptions, however, where other pieces of legislation have enacted additional flexibility (including telehealth waivers), and where policy changes in HHS rulemakings specified that policy changes are tied to the PHE. Should the national declaration end but the PHE stand, such policies would continue until the end of the PHE. Should both the national emergency declaration and the PHE end, all waiver authority would cease. Please see this +Insight for additional information.
The COVID-19 PHE, which is extended in 90-day increments, was most recently extended in mid-October, until mid-January 2023. The Biden administration has maintained a commitment to provide 60 days’ advance notice of any plans to end the PHE, and that 60-day mark recently passed with no indication that the PHE will end in mid-January. This indicates that the PHE is likely to be extended at least once more, through mid-April 2023.
Senate passage of this resolution will not have a tangible impact, as it is unlikely to be taken up by the Democratic-controlled House this year, and the president has threatened to veto it. However, the vote in the Senate demonstrates “pandemic fatigue” as well as significant bipartisan support for ending COVID-19 declarations, which suggests that the next presumed PHE extension through mid-April 2023 could be the last.