HHS
Subscribe to HHS's Posts

Avoiding Confusion Over State Licensing Laws as CMS Further Loosens Telemedicine Restrictions

The Centers for Medicare & Medicaid Services (CMS) continues to loosen the conditions for participation in Medicare, as well as specific reimbursement requirements, to ensure facilities and practitioners are able to practice at the top of their license and across state lines without jeopardizing Medicare reimbursement. Unfortunately, as demonstrated when CMS took similar actions over the past few weeks in response to the Coronavirus (COVID-19) pandemic, headlines tend to overlook one fundamental component of the applicable regulatory regime: state law requirements. Unlike the Veterans Affairs Administration’s (VA's) action a few years ago, which preempted state licensing law for purposes of implementing a VA telemedicine program, the Department of Health and Human Services has limited its actions during the COVID-19 pandemic to modifications of federal regulations and rules.  Secretary Alex Azar, in a letter to the Governors, instead encouraged the states...

Continue Reading

The RUSH Act – Another Advancement in Telehealth Acceptance?

As previously noted in our Digital Health Mid-Year Review, 2018 has seen greater acceptance of telemedicine within the Medicare program. Both regulatory and statutory changes have expanded reimbursement opportunities and, consequentially, opportunities for the deployment of telemedicine technologies. As we noted then, however, improvement in the Medicare reimbursement environment for telemedicine services has been tied to a policy goal of not increasing utilization unnecessarily. We noted in our Mid-Year Review that Congress appears to be following MedPac’s recent guidance that Congress “should take a measured approach to further incorporating telehealth into Medicare by evaluating individual telehealth services to assess their capacity to address. . . cost reduction, access expansion, and quality improvement.” The recently introduced Reducing Unnecessary Senior Hospitalizations Act of 2018 (the RUSH Act), seems to deviate from MedPac's suggested...

Continue Reading

False Claims Act Settlement with eClinicalWorks Raises Questions for Electronic Health Record Software Vendors

On May 31, 2017, the US Department of Justice announced a Settlement Agreement under which eClinicalWorks, a vendor of electronic health record software, agreed to pay $155 million and enter into a five-year Corporate Integrity Agreement to resolve allegations that it caused its customers to submit false claims for Medicare and Medicaid meaningful use payments in violation of the False Claims Act. Read the full article.

Continue Reading

Recent $2.5 Million OCR Settlement Is a Warning to Wireless Health Service Providers

On April 24, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement in the amount of $2.5 million based on the impermissible disclosure of unsecured electronic protected health information (ePHI) by a provider of remote mobile monitoring, with a focus on patients who are at risk for cardiac arrhythmias. In January 2012, the remote monitoring company reported that a workforce member’s laptop containing the ePHI of over a thousand individuals was stolen from a parked vehicle outside of the employee’s home. A little over one year later, the same company reported a second breach that compromised the ePHI of twice as many individuals (details regarding this breach were not provided by OCR). OCR’s investigation revealed that the company allegedly had insufficient risk analysis and risk management processes in place at the time of the theft....

Continue Reading

What You Need to Know about Changes to the Common Rule

The Final Rule published by the US Department of Health and Human Services on January 18, 2017, largely avoids major modifications to the Common Rule. However, it specifically addresses creation of biospecimen and data repositories and use of those repositories for secondary research. All stakeholders involved in federally funded research should be aware of the Final Rule’s changes and prepare to implement them. Read the full article here.

Continue Reading

HHS Finalizes Overhaul of Federal Human Subjects Research Protections

On January 18, 2017, the Department of Health and Human Services (HHS) and 15 other federal agencies issued a final rule overhauling the federal human subjects research regulations known as the “Common Rule.” These are the first revisions to the Common Rule since its original enactment in 1991, and have been in progress since HHS first published an Advanced Notice of Proposed Rulemaking in July 2011. According to the press release accompanying the final rule, HHS made “significant changes” to its most recent proposals (published in September 2015) in response to the 2,100+ public comments they received. The majority of the Common Rule’s changes and new provisions will go into effect in 2018. We are reviewing the final rule in detail, and a summary of changes and new provisions is forthcoming.

Continue Reading

OMB Reviewing Common Rule Overhaul

On January 4, 2017, the Department of Health and Human Services (HHS) submitted a draft final rule to amend the federal human research regulations to the Office of Management and Budget (OMB). These regulations, often referred to as the Common Rule, were originally developed in 1991 and have been adopted by multiple federal departments and agencies. OMB review is the last step before final publication and suggests that HHS is trying to release a final rule before President Obama leaves office on January 20, 2017. Through its Office for Human Research Protections (OHRP), HHS initially published an Advanced Notice of Proposed Rulemaking in July 2011. The Advanced Notice generated significant controversy and OHRP did not publish a notice of proposed rulemaking (Proposed Rule) for over four years, ultimately doing so on September 8, 2015. The Proposed Rule, like its earlier Advanced Notice counterpart, suggested major changes to the Common Rule, including changes...

Continue Reading

Guidance on Ransomware Attacks under HIPAA and State Data Breach Notification Laws

On July 28, 2016, US Department of Health and Human Services (HHS) issued guidance (guidance) under the Health Insurance Portability and Accountability Act (HIPAA) on what covered entities and business associates can do to prevent and recover from ransomware attacks. Ransomware attacks can also trigger concerns under state data breach notification laws. The HIPAA Security Rule requires covered entities and business associates to implement security measures. It also requires covered entities and business associates to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI) the entities create, receive, maintain or transmit and to implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level. The HIPAA Security Rule establishes a floor for the security of ePHI,...

Continue Reading

Pressure Points: OCR Enforcement Activity in 2014

During 2014, the Office for Civil Rights (OCR) of the U.S. Department of Health & Human Services initiated six enforcement actions in response to security breaches reported by entities covered by the Health Insurance Portability and Accountability Act (HIPAA) (covered entities), five of which involved electronic protected health information (EPHI).  The resolution agreements and corrective action plans resolving the enforcement actions highlight key areas of concern for OCR and provide the following important reminders to covered entities and business associates regarding effective data protection programs. Security risk assessment is key. OCR noted in the resolution agreements related to three of the five security incidents, involving QCA Health Plan, Inc., New York and Presbyterian Hospital (NYP) and Columbia University (Columbia), and Anchorage Community Mental Health Services (Anchorage), that each entity failed to conduct an accurate and thorough...

Continue Reading

STAY CONNECTED

TOPICS

ARCHIVES