The US Departments of the Treasury, Labor, and Health and Human Services (the Departments) recently issued much-anticipated proposed regulations under the Mental Health Parity and Addiction Equity Act (MHPAEA) to better ensure that health plans allow access to mental health or substance use disorder benefits as easily as medical or surgical benefits. The proposed regulations reiterate the Departments’ focus on mental health parity and underscore the importance of compliance for health plan sponsors. They also come after many plans have been subject to audit by the Departments which focused heavily on MHPAEA compliance, leaving plan sponsors frustrated at the lack of guidance and inconsistent application of MHPAEA.
Companies are taking a fresh look at their privacy policies in the wake of Dobbs v. Jackson Women’s Health Organization. According to this Law360 article, policymakers are putting more pressure on companies to tighten their restrictions on collecting and disclosing personal health and location data.
The US Department of Health and Human Services Office for Civil Rights (OCR) recently announced a settlement with a community hospital resolving an investigation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules. While the settlement involved a medical provider, it offers some important lessons for other HIPAA-covered entities, including employer-sponsored group health plans.
The settlement involved impermissible data breaches by non-medical staff who, allegedly, used their login credentials to access patient medical records maintained in the hospital’s electronic medical record system without a job-related purpose. The lesson here is straightforward: all HIPAA-covered entities must “protect the privacy and security of health information.”
The HIPAA privacy and security rules are complex, and full compliance requires substantial resources that are, as a practical matter, beyond the reach of many organizations. While OCR routinely refers to these rules as “scalable,” that claim is difficult to square with our experience. Full compliance with the particulars of the rule is costly and time-consuming, and it requires no shortage of expertise. Thankfully, in practice, OCR tends to focus its investigative resources on certain features of these rules. These features include the following items which covered entities must perform to comply:
- Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic protected health information;
- Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis;
- Develop, maintain and revise, as necessary, written HIPAA policies and procedures;
- Enhance HIPAA and security training programs to provide workforce training on the updated HIPAA policies and procedures; and
- Review relationships with vendors and third-party service providers to identify business associates and obtain business associate agreements with business associates if not already in place.
Where group health plans are concerned, fully insured plans routinely rely on their carriers for HIPAA compliance, which requires that plan sponsors get only “summary” health information at renewal. This option is not available to self-funded plans, however, even those that contract with a carrier for administrative services. Employers in this latter category should be reasonably confident of surviving an OCR audit or investigation only, at a minimum, by taking the actions listed above.
The US Department of Health and Human Services Office of the Inspector General (HHS OIG) recently unveiled a new toolkit that seeks to help analyze telehealth claims for federal healthcare program integrity risks. It is based on methodologies highlighted in OIG’s September 2022 data brief; the data brief identified billing practices by Medicare providers that OIG was concerned posed a high risk to program integrity. OIG intends for the toolkit to be used by public and private parties—including Medicare Advantage plan sponsors, private health plans, State Medicaid Fraud Control Units and other federal healthcare agencies—to assess program integrity risks and identify providers whose billing may warrant further scrutiny.
Medicare Advantage (MA) plans are facing both regulatory and business risks following the conclusion of the COVID-19 Public Health Emergency (PHE). What are the major MA flexibilities and requirements related to the pandemic, and have they ended along with the PHE?
The Biden administration has announced that the federal government will wind down its remaining COVID-19 vaccination mandates (including those for federal workers, contractors and international air travelers) effective May 11, 2023. This action coincides with the conclusion of the COVID-19 public health emergency (PHE). Additionally, the US Department of Health and Human Services (HHS) will initiate steps to terminate the vaccination prerequisites for healthcare facilities that are certified by the Centers for Medicare & Medicaid Services (CMS).
OCR Issues Proposed Rule to Modify HIPAA Privacy Rule to Include Explicit Protections for Reproductive Healthcare
On April 12, 2023, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a notice of proposed rulemaking detailing its proposal to modify the HIPAA Privacy Rule (Proposed Rule). The Proposed Rule comes as a part of the Biden administration’s response to the US Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization.
The Proposed Rule would provide special protections for protected health information (PHI) related to reproductive healthcare. Following the Dobbs decision, many healthcare providers expressed concerns that PHI related to reproductive healthcare may be sought by state and local governments for use in criminal, civil or administrative investigations or proceedings. OCR noted that such compelled uses and disclosures of PHI could have a chilling effect on lawfully obtained healthcare and erode trust in confidential communications between a patient and provider. Additionally, providers could elect to leave out critical details from a patient’s medical record if they fear the information could later be used by a state or local government actor against the patient.
Stakeholders may submit comments on the proposed rule on or before June 16, 2023.
Preparing for the End of the COVID-19 Emergency: Tri-Agencies Issue FAQs to Assist Plans and Issuers
The Biden administration has announced its intention to end the COVID-19 National Emergency (NE) and the COVID-19 Public Health Emergency (PHE) on May 11, 2023 (read our series introduction for more information).
On March 29, 2023, the US Departments of Labor, Health and Human Services, and Treasury (the Departments) issued a set of Frequently Asked Questions (available here), which answered questions from stakeholders relating to the various laws, regulations and other guidance enacted or adopted in connection with the NE and PHE. The FAQs include eight questions related to the anticipated end of the “Outbreak Period” on July 10, 2023, which is 60 days after the end of the NE and PHE on May 11 (rules regarding the Outbreak Period are set forth in our earlier articles here and here). Below are the highlights:
- Following the end of the PHE, plans and issuers can impose cost-sharing, prior authorization or other medical management requirements for COVID-19 diagnostic tests, although the Departments encourage plans not to do so.
- Plans and issuers are encouraged to notify plan participants of changes regarding COVID-19 diagnosis, testing and treatment. Special rules apply under which Summaries of Benefits and Coverage (SBCs) need not be amended mid-year.
- While plans and issuers will no longer be required to post prices for diagnostic tests furnished after May 11, they are nevertheless encouraged to do so.
- Plans must continue to cover vaccines that qualify as preventive services, without cost-sharing, when provided in-network.
- The FAQs provide examples relating to the application and termination of extended time periods for elections under the Consolidated Omnibus Budget Reconciliation Act (COBRA) and the Health Insurance Portability and Accountability Act (HIPAA).
- In what is a welcome surprise, the FAQs confirm that individuals covered by a High-Deductible Health Plan (HDHP) will remain Health Savings Account (HSA)-eligible until further notice even if the HDHP in which they are enrolled provides medical care services and items purchased related to testing for and treatment of COVID-19 prior to the satisfaction of the HDHP’s applicable minimum deductible.
To keep employers apprised of the rules and to assist with providing notice to plan participants of the changes that will accompany the end of the NE and PHE, the Department of Labor has issued two blog posts, which are available here and here.
Action Items: We urge plan sponsors to pay particular attention to notifying employees of the upcoming changes that will accompany the end of the PHE and NE and to ensure that participants covered under an HDHP understand that they may continue to contribute to their HSAs. Employers should consider communicating these changes to their employees.
For any questions regarding the end of the PHE and/or NE, please contact your regular McDermott lawyer or one of the authors.
Multiple Republican lawmakers are opposing a US Department of Health and Human Services (HHS) proposed rule that would expand the Affordable Care Act’s Section 1557 requirement preventing most health plans from discriminating on the basis of sex. According to this SHRM article, the rule applies to health insurers or plans that receive federal funds or that contract with the government. McDermott lawyers previously wrote about this proposed rule, noting that the definition of a covered entity is “similar in many ways to the 2016 Final Rule” but “does not explicitly include employee benefit group health plans as covered entities subject to Section 1557.”
On September 26, the US Government Accountability Office (GAO) released a report titled “Medicare Telehealth: Actions Needed to Strengthen Oversight and Help Providers Educate Patients on Privacy and Security Risks.” The 75-page report describes the utilization of Medicare telehealth services under current pandemic-related waivers, the Centers for Medicare & Medicaid Services (CMS) efforts to identify and monitor risks posed by the current waivers, and a change made by the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) to the enforcement of regulations governing patients’ protected health information during the COVID-19 public health emergency (PHE).
GAO made four recommendations—three directed to CMS and one directed to OCR—aimed at remedying the issues set forth in the report:
- CMS should develop an additional billing modifier or clarify its guidance regarding billing of audio-only office visits to allow the agency to fully track these visits.
- CMS should require providers to use available site of service codes to indicate when Medicare telehealth services are delivered to beneficiaries in their homes.
- CMS should comprehensively assess the quality of Medicare services, including audio-only services, delivered using telehealth during the PHE.
- OCR should provide additional education, outreach or other assistance to providers to help them explain the privacy and security risks to patients in plain language when using video telehealth platforms to provide telehealth services.
Among its utilization findings, the GAO report found that the use of telehealth services increased from about five million services pre-waiver (April to December 2019) to more than 53 million services post-waiver (April to December 2020) and that, post-waiver, 5% of providers delivered more than 40% of telehealth services, and 5% of beneficiaries accounted for almost 40% of telehealth utilization.
The report noted that CMS lacks complete data on the use of audio-only technology and telehealth visits furnished in patients’ homes, because there is no billing mechanism for providers to identify all instances of audio-only visits, and because providers are not required to use available codes to identify visits furnished in homes. The GAO report also noted that OCR did not advise providers about specific language to use or give direction on explaining risks to patients, with respect to OCR’s March 2020 policy that it would not impose penalties against providers for noncompliance with privacy and security requirements in connection with the good faith provision of telehealth during the PHE.
This GAO report comes on the heels of a recent report from the HHS Office of Inspector General that found little evidence of waste and fraud related to Medicare telehealth services during the first year of the pandemic. These reports are part of a broader push by Congress and the Biden administration to examine current telehealth flexibilities and determine how to extend them beyond the COVID-19 PHE.