US Department of Health and Human Services
Subscribe to US Department of Health and Human Services's Posts

Treasury, DOL and HHS Issue Landmark Mental Health Parity Proposed Rule

The US Departments of the Treasury, Labor, and Health and Human Services (the Departments) recently issued much-anticipated proposed regulations under the Mental Health Parity and Addiction Equity Act (MHPAEA) to better ensure that health plans allow access to mental health or substance use disorder benefits as easily as medical or surgical benefits. The proposed regulations reiterate the Departments’ focus on mental health parity and underscore the importance of compliance for health plan sponsors. They also come after many plans have been subject to audit by the Departments which focused heavily on MHPAEA compliance, leaving plan sponsors frustrated at the lack of guidance and inconsistent application of MHPAEA.

Read more here.




How Dobbs Has Changed the Data Privacy Landscape

Companies are taking a fresh look at their privacy policies in the wake of Dobbs v. Jackson Women’s Health Organization. According to this Law360 article, policymakers are putting more pressure on companies to tighten their restrictions on collecting and disclosing personal health and location data.

Access the article.




HIPAA Compliance 101: Lessons from a Recent OCR Settlement

The US Department of Health and Human Services Office for Civil Rights (OCR) recently announced a settlement with a community hospital resolving an investigation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules. While the settlement involved a medical provider, it offers some important lessons for other HIPAA-covered entities, including employer-sponsored group health plans.

The settlement involved impermissible data breaches by non-medical staff who, allegedly, used their login credentials to access patient medical records maintained in the hospital’s electronic medical record system without a job-related purpose. The lesson here is straightforward: all HIPAA-covered entities must “protect the privacy and security of health information.”

The HIPAA privacy and security rules are complex, and full compliance requires substantial resources that are, as a practical matter, beyond the reach of many organizations. While OCR routinely refers to these rules as “scalable,” that claim is difficult to square with our experience. Full compliance with the particulars of the rule is costly and time-consuming, and it requires no shortage of expertise. Thankfully, in practice, OCR tends to focus its investigative resources on certain features of these rules. These features include the following items which covered entities must perform to comply:

  • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic protected health information;
  • Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis;
  • Develop, maintain and revise, as necessary, written HIPAA policies and procedures;
  • Enhance HIPAA and security training programs to provide workforce training on the updated HIPAA policies and procedures; and
  • Review relationships with vendors and third-party service providers to identify business associates and obtain business associate agreements with business associates if not already in place.

Where group health plans are concerned, fully insured plans routinely rely on their carriers for HIPAA compliance, which requires that plan sponsors get only “summary” health information at renewal. This option is not available to self-funded plans, however, even those that contract with a carrier for administrative services. Employers in this latter category should be reasonably confident of surviving an OCR audit or investigation only, at a minimum, by taking the actions listed above.




HHS OIG Develops Toolkit to Analyze Telehealth Claims to Assess Program Integrity Risks

The US Department of Health and Human Services Office of the Inspector General (HHS OIG) recently unveiled a new toolkit that seeks to help analyze telehealth claims for federal healthcare program integrity risks. It is based on methodologies highlighted in OIG’s September 2022 data brief; the data brief identified billing practices by Medicare providers that OIG was concerned posed a high risk to program integrity. OIG intends for the toolkit to be used by public and private parties—including Medicare Advantage plan sponsors, private health plans, State Medicaid Fraud Control Units and other federal healthcare agencies—to assess program integrity risks and identify providers whose billing may warrant further scrutiny.

Read more here.




Federal Government to Wind Down Vaccination Mandates

The Biden administration has announced that the federal government will wind down its remaining COVID-19 vaccination mandates (including those for federal workers, contractors and international air travelers) effective May 11, 2023. This action coincides with the conclusion of the COVID-19 public health emergency (PHE). Additionally, the US Department of Health and Human Services (HHS) will initiate steps to terminate the vaccination prerequisites for healthcare facilities that are certified by the Centers for Medicare & Medicaid Services (CMS).

Read more here.




OCR Issues Proposed Rule to Modify HIPAA Privacy Rule to Include Explicit Protections for Reproductive Healthcare

On April 12, 2023, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a notice of proposed rulemaking detailing its proposal to modify the HIPAA Privacy Rule (Proposed Rule). The Proposed Rule comes as a part of the Biden administration’s response to the US Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization.

The Proposed Rule would provide special protections for protected health information (PHI) related to reproductive healthcare. Following the Dobbs decision, many healthcare providers expressed concerns that PHI related to reproductive healthcare may be sought by state and local governments for use in criminal, civil or administrative investigations or proceedings. OCR noted that such compelled uses and disclosures of PHI could have a chilling effect on lawfully obtained healthcare and erode trust in confidential communications between a patient and provider. Additionally, providers could elect to leave out critical details from a patient’s medical record if they fear the information could later be used by a state or local government actor against the patient.

Stakeholders may submit comments on the proposed rule on or before June 16, 2023.

Read more here.




HHS Nondiscrimination Proposal on Gender Procedures, Abortions Meets Resistance

Multiple Republican lawmakers are opposing a US Department of Health and Human Services (HHS) proposed rule that would expand the Affordable Care Act’s Section 1557 requirement preventing most health plans from discriminating on the basis of sex. According to this SHRM article, the rule applies to health insurers or plans that receive federal funds or that contract with the government. McDermott lawyers previously wrote about this proposed rule, noting that the definition of a covered entity is “similar in many ways to the 2016 Final Rule” but “does not explicitly include employee benefit group health plans as covered entities subject to Section 1557.”

Access the article.




GAO Releases Report on Telehealth

On September 26, the US Government Accountability Office (GAO) released a report titled “Medicare Telehealth: Actions Needed to Strengthen Oversight and Help Providers Educate Patients on Privacy and Security Risks.” The 75-page report describes the utilization of Medicare telehealth services under current pandemic-related waivers, the Centers for Medicare & Medicaid Services (CMS) efforts to identify and monitor risks posed by the current waivers, and a change made by the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to the enforcement of regulations governing patients’ protected health information during the COVID-19 public health emergency (PHE).

GAO made four recommendations—three directed to CMS and one directed to OCR—aimed at remedying the issues set forth in the report:

  • CMS should develop an additional billing modifier or clarify its guidance regarding billing of audio-only office visits to allow the agency to fully track these visits.
  • CMS should require providers to use available site of service codes to indicate when Medicare telehealth services are delivered to beneficiaries in their homes.
  • CMS should comprehensively assess the quality of Medicare services, including audio-only services, delivered using telehealth during the PHE.
  • OCR should provide additional education, outreach or other assistance to providers to help them explain the privacy and security risks to patients in plain language when using video telehealth platforms to provide telehealth services.

Among its utilization findings, the GAO report found that the use of telehealth services increased from about five million services pre-waiver (April to December 2019) to more than 53 million services post-waiver (April to December 2020) and that, post-waiver, 5% of providers delivered more than 40% of telehealth services, and 5% of beneficiaries accounted for almost 40% of telehealth utilization.

The report noted that CMS lacks complete data on the use of audio-only technology and telehealth visits furnished in patients’ homes, because there is no billing mechanism for providers to identify all instances of audio-only visits, and because providers are not required to use available codes to identify visits furnished in homes. The GAO report also noted that OCR did not advise providers about specific language to use or give direction on explaining risks to patients, with respect to OCR’s March 2020 policy that it would not impose penalties against providers for noncompliance with privacy and security requirements in connection with the good faith provision of telehealth during the PHE.

This GAO report comes on the heels of a recent report from the HHS Office of Inspector General that found little evidence of waste and fraud related to Medicare telehealth services during the first year of the pandemic. These reports are part of a broader push by Congress and the Biden administration to examine current telehealth flexibilities and determine how to extend them beyond the COVID-19 PHE.




STAY CONNECTED

TOPICS

ARCHIVES

Top ranked chambers 2022
US leading firm 2022