Health Law Highlights

Now in Effect: Texas Ends Surprise Bills for Ambulance Rides

From D Magazine, by Will Maddox:

Surprise medical billing has largely been eliminated due to federal and state legislative efforts, but ambulance billing was not included in these regulations. A new Texas law now prevents surprise bills for ambulance services for those with state health insurance plans.

Emergency physicians and anesthesiologists were the most common sources of surprise bills, with research indicating that one in four ambulance rides results in a surprise bill. Approximately 60% of ambulance providers, both private and public, are out of network.

Bipartisan State Bill 2476 prohibits out-of-network ambulance providers from sending patients surprise bills, requiring insurers to cover costs based on local rates set by counties and cities. If no local ambulance rate exists, insurers will pay the lesser of 325% of the Medicare reimbursement rate or the full billed charge.

The new bill simplifies the initial surprise bill process, which had led to numerous lawsuits filed by the Texas Medical Association challenging the process for settling a surprise bill as directed by the federal No Surprises Act.

The new rules only cover those on state healthcare plans, including state employees and teachers, approximately one in three Texans.

Health Law Highlights

New Guidelines Anticipated Following HHS’s Health Cybersecurity Concept Paper

From Shutts & Bowen LLP, by Kurtis Hutson, Timothy Monaghan, Ella Shenhav:

Updates to HIPAA Security Rule: The Department of Health and Human Services (HHS) and the Centers for Medicare and Medicaid Services (CMS) plan to update the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and propose new cybersecurity requirements in Spring 2024. These changes aim to shift the cybersecurity burden from end users to the owners and operators of technologies in critical infrastructure sectors, including healthcare.

Impact on Healthcare Companies: The new requirements could significantly expand the enforcement capabilities of regulators, impacting all entities involved in the healthcare industry. This includes manufacturers, sellers, service providers, healthcare providers, and payors who access, process, transmit, or store electronic protected health information (ePHI).

Voluntary Cybersecurity Performance Goals: HHS is developing voluntary Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs). Although termed “voluntary”, these will be used by CMS to propose new cybersecurity requirements for hospitals and participants in Medicare and Medicaid programs, and will influence the update to the HIPAA Security Rule.

Need for Proactive Measures: Healthcare organizations are advised not to adopt a “wait and see” approach, but to ensure they can demonstrate the implementation of Recognized Security Practices (RSPs). The HITECH Act amendment of January 2021 provides a safe harbor that could lead to reduced fines or termination of HIPAA-related investigations for organizations that can prove they had RSPs in place for at least the previous twelve months.


NIST Publishes SP 800-66 Revision 2, Implementing the HIPAA Security Rule

From NIST Computer Security Resource Center:

The National Institute of Standards and Technology (NIST) has released the final version of Special Publication (SP) 800-66r2 (Revision 2), “Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide”.

SP 800-66 provides guidance for entities regulated by HIPAA on evaluating and managing risks associated with electronic Protected Health Information (ePHI). It outlines typical activities for an information security program and offers advice to improve cybersecurity posture and assist with HIPAA Security Rule compliance.

NIST’s Cybersecurity and Privacy Reference Tool (CPRT) includes mappings of the HIPAA Security Rule’s standards and implementation specifications to NIST Cybersecurity Framework Subcategories and SP 800-53r5 security controls. It also lists NIST publications relevant to each HIPAA Security Rule standard, which can be used as additional resources for implementing HIPAA Security Rule standards and implementation specifications.

Health Law Highlights

The Corporate Transparency Act: Key Considerations for Health Systems and Practice Management Companies (MSOs/DSOs

From Proskauer – Health Care Law Brief, by Andrew Bettwy, Jeffrey Horwitz, David Manko, Jonian Rafti, Elanit Sno, Yuval Tal:

The Corporate Transparency Act (CTA), effective January 1, 2024, mandates the creation of a national registry of “beneficial owners” and “company applicants” of entities across the U.S. to counter illicit activities such as money laundering and terrorism financing. Reporting companies must disclose key information about these individuals, including legal name, date of birth, address, and government-issued identification details.

The CTA presents a compliance challenge for large healthcare enterprises due to their complex contractual arrangements with physician practices and facilities. Entities like health systems, practice management companies, and national telehealth companies, which may have numerous joint ventures and management agreements, need to determine the beneficial owners of their associated practices.

Several exemptions exist for healthcare entities under the CTA, including the Non-Profit Exemption, Large Operating Company Exemption, Subsidiary of Exempt Entity Exemption, and Inactive Entity Exemption. The applicability of these exemptions depends on factors such as tax status, employee count, gross receipts, and control over ownership interests.

A beneficial owner is defined as an individual who exercises substantial control over a company or owns or controls at least 25% of the company’s ownership interests. This could include senior officers, individuals with authority over appointments, and those with substantial influence over company decisions.

Non-compliance with the CTA can lead to significant penalties, including civil penalties of up to $500 per day and criminal penalties, including fines of up to $10,000 or imprisonment for up to two years. Federal and state law enforcement agencies may access reported information for law enforcement activities, including civil and criminal investigations and actions.

Health Law Highlights

CMS Updates Guidance to Allow Texting of Patient Orders

From Robinson & Cole, by Nathaniel Arden:

On February 8, 2024, the Centers for Medicare and Medicaid Services (CMS) updated its 2018 memorandum to now allow the texting of patient orders among a patient’s healthcare team.

The 2018 memorandum stated that texting of patient orders did not comply with hospital and critical access hospital (CAH) Medicare conditions of participation (CoPs) due to potential issues with record security, author identification, and HIPAA compliance.

The updated guidance recognizes technological advancements, including encryption and interfaces between texting platforms and electronic health record systems (EHRs) that can ensure compliance with CoPs through the texting of patient orders.

CMS advises hospitals and CAHs using text orders to ensure they use secure, encrypted platforms, maintain author identification integrity, comply with HIPAA, and promptly file texted orders in the EHR.

Health Law Highlights

Telehealth and the Evolving Landscape of Medicare Requirements

From Verrill, by Amanda Beauregard, Andrew Ferrer:

Telehealth Importance and Changes Post-Pandemic: Telehealth has been crucial during the COVID-19 pandemic, especially for behavioral and mental health services. The U.S. Department of Health & Human Services (HHS) facilitated its expanded use by easing Medicare regulations. Key changes included recognizing a patient’s home as an “originating site” and allowing telehealth without an initial or periodic in-person visit. However, with the end of the Public Health Emergency (PHE), Medicare rules for telehealth services are changing.

Permanent Telehealth Flexibilities: Some telehealth flexibilities will remain post-PHE, including Federally Qualified Health Centers (FQHCs) and Rural Health Clinics (RHCs) serving as “distant site” providers for behavioral/mental telehealth services, no geographic restrictions for these services, and the allowance of audio-only communication platforms. 

Temporary Telehealth Flexibilities: Many telehealth flexibilities are set to expire after December 31, 202These include FQHCs and RHCs serving as a distant site provider for non-behavioral/mental telehealth services, no geographic restrictions for an “originating site” for non-behavioral/mental telehealth services, and using audio-only communication platforms for non-behavioral/mental telehealth services.

Advocacy Efforts for Permanent Telehealth Flexibilities: Several trade associations and lawmakers are advocating for making all Medicare telehealth flexibilities permanent. They aim to ensure equitable payment for FQHCs and RHCs, remove geographic and “originating site” restrictions, eliminate the periodic “in-person” rules, maintain coverage for audio-only treatment, and expand the list of eligible Medicare providers.

Legislation Introduced for Telehealth: Several bills have been introduced to further these goals, including the CONNECT for Health Act, Telemental Health Care Access Act, Telehealth Expansion Act, Telehealth Benefit Expansion for Workers Act of 2023, and TREATS Act. These proposed laws aim to remove geographic requirements, add homes as “originating sites,” remove in-person evaluation requirements, and extend exemptions for telehealth services, among other things.

Health Law Highlights

HIPAA and Part 2 Harmonized: What Health Care Organizations Need to Know

From Foley & Lardner LLP, by Jane Blaney, Jennifer J. Hennessy, Aaron T. Maguregui:

Part 2 Final Rule Implementation: The U.S. Department of Health & Human Services (HHS) issued the Part 2 Final Rule to revise the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations. This rule, effective 60 days post-publication, implements provisions of the 2020 CARES Act and includes modifications proposed in the November 2022 Notice of Proposed Rulemaking and additional changes based on public comments.

Patient Consent Changes: The rule allows SUD programs to obtain a single patient consent for all future uses and disclosures of Part 2 records for treatment, payment, and healthcare operations (TPO), as per HIPAA regulations. This consent can be revoked by the patient in writing. The rule also permits HIPAA-covered entities and business associates to redisclose records under this consent, barring use in legal proceedings against the patient without specific consent or court order.

Patient Notice and Rights: The rule aligns Part 2’s patient notice requirements more closely with the HIPAA Notice of Privacy Practices. It also provides patients with additional rights, such as requesting restrictions of disclosures to health plans for services paid in full or for purposes of TPO, obtaining an accounting of disclosures, and opting out of fundraising communications.

Breach Notification and Counseling Notes: The rule applies HIPAA’s Breach Notification Rule to breaches of unsecured records by Part 2 programs. It also includes a definition of SUD counseling notes similar to the HIPAA definition of psychotherapy notes, requiring specific consent from the individual for their disclosure.

Data Segregation and Penalties: The rule removes the requirement for segregation or segmentation of Part 2 records but maintains their protection. Violations of Part 2 will be subject to the same civil and criminal penalties as HIPAA violations, and patients can file complaints with HHS for violations of Part 

Health Law Highlights

Corporate Transparency Act and Health Care Providers

From AHLA, by Christopher Conn and Patrick Dunbar:

The Corporate Transparency Act (CTA), effective from January 1, 2024, mandates domestic and foreign legal entities operating in the U.S. to report beneficial ownership information to the Financial Crimes Enforcement Network (FinCEN), with certain exemptions. This is to regulate “shell” companies often associated with illicit activities. Health care providers, unless exempt, will also need to comply with these disclosure requirements.

Two types of reporting companies exist under the CTA: domestic and foreign. Domestic entities are those created by filing organizational documents with a secretary of state, while foreign entities are organized under foreign laws but conduct business in the U.S. Health care providers organized as partnerships, sole proprietorships, or other entities not typically required to file with state governments may avoid being classified as a reporting company.

If classified as a reporting company, health care providers must identify their “beneficial owners” and report this information to FinCEN. A beneficial owner under the CTA is a person or entity that exercises substantial control over a reporting company or owns or controls at least 25% of the ownership interests of the reporting company.

Non-exempt reporting companies must file beneficial ownership information (BOI) reports with FinCEN, containing specific information about the company, its beneficial owners, and its applicants. Timing requirements for these disclosures vary based on the date of entity formation and changes to previously disclosed information.

The CTA imposes civil and criminal penalties for willful failure to report, or intentionally providing false or fraudulent BOI. Health care providers must ensure disclosure consistency across multiple regulatory and licensing bodies. They should also be aware of the administrative challenges posed by the CTA, including determining beneficial ownership and timely reporting of BOI updates.

Health Law Highlights

Confidentiality of Substance Use Disorder Records Now More Closely Aligned With HIPAA

From Fox Rothschild, by Elizabeth G. Litten:

Part 2 records may be disclosed pursuant to the patient’s written consent, which may be a single consent for all future uses and disclosures for treatment, payment, and health care operations (as such terms are defined under HIPAA)

Part 2 records may be disclosed to a public health authority without patient consent if the records are de-identified (as defined and set forth under HIPAA)

Part 2 records are subject to HIPAA’s breach notification requirements

Part 2 SUD providers must provide HIPAA Notice of Privacy Practices-type notices to patients

Patients have the right to complain to HHS regarding alleged violations of Part 2

Health Law Highlights

HTI-1 Final Rule in Effect

From The HIPAA Journal, by Steve Adler:

The Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) Final Rule, issued by the HHS’ Office of the National Coordinator for Health Information Technology (ONC), took effect on February 8, 2024. It implements provisions of the 21st Century Cures Act and updates the ONC Health IT Certification Program with new standards for AI systems.

The Final Rule is designed to advance ONC-certified health IT interoperability, algorithm transparency, and data standardization. It aims to improve patient outcomes and reduce healthcare costs by promoting the safe, secure, and trustworthy development of AI.

The Final Rule introduces new transparency requirements for AI and other predictive algorithms within ONC-certified health IT. It allows clinical users to access a consistent set of information about the algorithms and assess them for fairness, validity, effectiveness, and safety.

It adopts the United States Core Data for Interoperability (USCDI) Version 3 (v3) as the new baseline standard within the ONC Health IT Certification Program. Developers of certified health IT have until January 1, 2026, to transition to USCDI v3.

The Final Rule introduces new information blocking requirements and definitions, adds a new exception to support information sharing, and introduces new interoperability-focused reporting metrics. It is crucial that IT systems, information sharing policies, data collection, and reporting practices are assessed to ensure compliance with these new requirements.