On Friday, July 7, 2023, the Centers for Medicare & Medicaid Services (CMS) published their long-awaited proposed remedy to the unlawful 340B drug payment reductions.

Background: In 2018, CMS significantly reduced the Average Sales Price (ASP) plus six-percent (6%) formula for calculating 340B drug payments to ASP minus 22.5%. After conflicting decisions from the District of Columbia’s federal District and Appeals Courts, on June 15, 2022, a unanimous U.S. Supreme Court concluded that the ASP minus 22.5% formula was “unlawful” and violated a clear statutory mandate to reimburse 340B drugs at ASP plus 6%. American Hospital Assn. v. Becerra, 142 S. Ct. 1896, 1906 (2022). However, the U.S. Supreme Court did not address remedies and remanded the case to the U.S. District Court for the District of Columbia. On September 28, 2022, the District Court vacated the payment reduction and ruled that CMS had to stop paying the unlawful rate. However, it did not address the damages from January 1, 2018 – September 27, 2022.[1]  On January 10, 2023, the District Court further remanded the case to CMS to provide a remedy for the underpayments dating back to January 1, 2018.[2]  

Two chambers of commerce, the Chamber of Commerce the United States of America and the Tyler (TX) Area Chamber of Commerce, filed a lawsuit on August 10, 2021, in the US District Court for the Eastern District of Texas against the United States departments of Health and Human Services, Labor and Treasury to block the implementation of two provisions contained in the federal regulations entitled Transparency in Coverage (“Rule”). 

The first challenged provision requires health plans to post on a website internal pricing data, including allowed amounts, in-network rates, and the negotiated rates for all services and the “historical net price” of prescription drugs, in “machine-readable” (searchable) files. The second provision being challenged requires the inclusion of the “historical net price” of prescription drugs in the machine-readable files. The provisions are set to go into effect for “plan years” beginning after January 11, 2022. Another major provision of the Rule, the one requiring insurers to provide “cost-sharing information” to individuals upon request via a website or in paper form, is not being challenged in the lawsuit.    

The United States Departments of Health and Human Services, Treasury and Labor released interim final rules (“Rules”) regarding the “No Surprises Act” (“Act”) yesterday. The Rules are effective beginning on January 1, 2022. They cover the requirements for the billing and payment of emergency and air ambulance services by non-participating providers and non-emergency services performed by non-participating providers at participating health care facilities.  The Rules do not detail the independent dispute process between plans and providers (“IDR”), transparency requirements, or price comparison tools that are outlined in the Act. The agencies intend to issue rules covering those aspects of the Act later this year.

While we, along with the plans, providers and patient advocacy groups sift through over 400 pages of preamble and regulations in the coming days and weeks, there are a few items worth noting initially:

On Friday, April 24th, President Trump signed the Paycheck Protection Program and Health Care Enhancement Act (“Act”) into law that will send an additional $75 billion to the Public Health Emergency and Social Services Fund (“Fund”) used to reimburse eligible health care providers for health care related expenses or lost revenues that are attributable to COVID-19. These funds will be in addition to the $100 billion previously appropriated to the Fund in the CARES Act. Of that $100 billion, the first $30 billion was distributed through the Health Resources and Services Administration (HRSA) to health care providers proportionally, based on the providers’ share of total 2019 Medicare payments. HHS has outlined how the remaining $70 billion of the initial $100 billion Congress dedicated to the Fund in the CARES Act would be allocated to providers, with additional payments starting April 24^th. However, HHS has not published any additional guidance as to how the Act’s additional $75 billion will be allocated.

The CARES Act (“Act”) appropriates $100 billion to create a Public Health Social Service Emergency Fund (“Fund”) to prevent, prepare for, and respond to coronavirus domestically and internationally for necessary expenses to reimburse, through grants or other mechanisms, eligible health care providers enrolled in Medicare and Medicaid who provide diagnoses, testing, or care for individuals with possible or actual cases of COVID–19, for health care-related expenses or lost revenues that are attributable to coronavirus. Although the Act sets forth some high level qualifying criteria, the actual mechanism by which providers can apply for or request funds, or additional qualifiers for eligibility, if any, have not yet been released. To date, the Act notes that funds appropriated under this provision may be used for:

The National Quality Forum (“NQF”) has published a draft report (“Report”) recommending various methods to measure the use of telehealth.  By way of quick background, NQF is a non-profit, nonpartisan organization that seeks national collaboration to improve health and healthcare quality through measurement.  The Department of Health and Human Services (“HHS”) requested NQF to convene a multi-stakeholder committee to recommend various methods to measure the use of telehealth as a means of providing care. Among other things, the Report analyzes the best way to ensure clinical measures are appropriately applied to telehealth, proposes a measure framework, sets some guidelines for future telehealth measurement, and identifies measurement gaps.

To help develop a telehealth measurement framework, NQF began by conducting a comprehensive scan identifying existing measures and potential measure concepts related to telehealth. As explained in the Report, the “framework is a conceptual model for organizing ideas that provides high-level guidance and direction on priorities for what is important to measure in telehealth and how measurement should take place in order to assess its impact on healthcare delivery and outcomes.” The Report analyzed reports and white papers from organizations such as the American Telemedicine Association, the Health Information Management and Systems Society, and the Office of the National Coordinator for Health Information Technology. Continue reading…

Hours after taking the oath of office President Donald Trump signed a broadly worded executive order (“Order”) intended to minimize if not eliminate the impact of the ACA’s least popular provisions. With the Order President Trump can claim immediate action towards fulfilling a major campaign pledge while giving his administration and the Republican led Congress time to come up with a replacement plan.

The Order directs the secretary of HHS and other agency heads to, among other directives:

[E]xercise all authority and discretion available to them to waive, defer, grant exemptions from, or delay the implementation of any provision or requirement of the [ACA] that would impose a fiscal burden on any State or a cost, fee, tax, penalty, or regulatory burden on individuals, families, healthcare providers, health insurers, patients, recipients of healthcare services, purchasers of health insurance, or makers of medical devices, products, or medications. [And] [t]o . . . exercise all authority and discretion available to them to provide greater flexibility to States and cooperate with them in implementing healthcare programs. [And] [t]o . . . encourage the development of a free and open market in interstate commerce for the offering of healthcare services and health insurance, with the goal of achieving and preserving maximum options for patients and consumers.

The Order makes it clear that any agency actions under the order must be within the confines of the law and its existing regulations, both of which remain in place at least for now. The agencies still have the option of amending or repealing ACA regulations but the Order gives them the authority to take some action before going through the regulatory approval process.

Apparently, the agencies will decide which stakeholders’ costs and “burdens” under the ACA will be reduced. This presents them with an interesting challenge given the opposing interests inherent in the broad group of stakeholders expressly targeted for relief under the Order. For example, if the scope of the individual mandate (likely the prime target of the Order) were reduced relieving some individuals of the cost of buying health insurance, it would likely skew the risk pool of the exchange plans to less healthy participants increasing the cost and burden on the exchange’s insurers and those individuals who want to purchase insurance through the exchanges. That action could also end up reducing overall insurance coverage increasing the uncompensated care hospitals and other providers would be required to deliver.

Perhaps the most interesting aspect to watch, however, will be whether the Order ultimately has any significant substantive effect or simply ends up being a symbolic gesture. Some observers have contended that significant delays to, or gutting of, a portion of the ACA’s tightly woven and inter-related pieces mid-year 2017 would create chaos in the affected programs, like the health insurance exchanges, which are already underway this year. Therefore, there has been speculation that actions under the Order are not likely to be effective until 2018. The question is whether any actions under the Order, which are expressly limited to those that are permissible under the ACA, will mean anything in 2018 when it is almost certain that the ACA will have already been repealed.

Whether substantive or symbolic, clearly the first step in the ACA’s dismantling has been taken and we will be watching very closely as the administration and Congress take many more.

On September 8, 2016, CMS announced in its blog that it will allow physicians to select their level of participation for the first performance year of the Medicare Access and CHIP Reauthorization Act of 2015 (“MACRA”) Quality Payment Program, which begins January 1, 2017. Importantly, during the first performance year (2017), “[c]hoosing one of these options would ensure [physicians] do not receive a negative payment adjustment” under MACRA in 2019.

Under the Quality Payment Program physicians will fall under the Merit-Based Incentive Payment System (“MIPS”) if they do not qualify under the Advanced Alternative Payment Model (“Advanced APM”) option.  In 2019, physicians who are in the MIPS default option could face Medicare rate adjustments of up to 5% based on their performance under four weighted performance categories: quality (50%); resource use (10%); advancing care information (25%); and clinical practice improvement (15%). Advanced APMs include, for example, Track 2 and 3 MSSP ACOs; next generation ACOs; and bundled payment models, and physicians who qualify under the Advanced APM option earn a 5% incentive, are excluded from MIPS adjustments and receive higher fee schedule updates after 2024.

Recognizing that many physicians may face negative payment adjustments under MIPS as a result of participating under the Quality Payment Program, CMS is going to allow eligible physicians to “pick their pace of participation” and ensure they do not receive such negative payment adjustments in 2019 by choosing one of four options for the first performance year:

1. Test the Quality Payment Program;
2. Participate for part of the calendar year;
3. Participate for the full calendar year; or
4. Participate in an Advanced APM in 2017.

The first three options fall under MIPS, while the fourth option falls under the Advanced APM. In the first option, physicians could “submit some data to the Quality Payment Program”, avoid negative payment adjustments and test the waters before broader participation in subsequent years. Under option two, the performance year could begin later than January 1, 2017, a physician practice “could qualify for a small positive payment adjustment”, and a physician would submit Quality Payment Program information for fewer days. The third option is ideal for those physician practices that are ready to participate beginning January 1, 2017 and who are able to submit a full year of quality data. Additionally, physicians “could qualify for a modest positive payment adjustment.” The fourth option would be viable for those physicians or physicians groups who treat enough Medicare beneficiaries and who receive enough of their Medicare payments through an Advanced APM (e.g., MSSP ACOs). Through the Advanced APM option, physicians/physician groups would “qualify for a 5 percent payment in 2019.” It remains unclear what the difference is between a “small” and “modest” payment adjustment. However, CMS may address this in the final rule along with how it will implement MIPS and the Advanced APM. CMS will release the final rule by November 1, 2016.

For more information about MACRA, contact Chris Raphaely, Nicole Martin or a member of Cozen O’Connor’s Health Law team.

In response to the increasing prevalence of ransomware cyber-attacks by hackers on electronic health information systems in hospitals and medical practices, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced on Monday July 11, 2016 its publication of new HIPAA guidance on ransomware (“Ransomware Guidance”). According to OCR:

Ransomware is a type of malware (or malicious software) that encrypts data with a key known only to the hacker and makes the data inaccessible to authorized users. After the data is encrypted, the hacker demands that authorized users pay a ransom (usually in a cryptocurrency such as Bitcoin to maintain anonymity) in order to obtain a key to decrypt the data.

Notably, the HIPAA Security Rule already requires implementation of security measures to help covered entities and business associates prevent the introduction of malware (e.g., ransomware) into their systems, and to implement policies and procedures to assist in responding to ransomware attacks. The Ransomware Guidance addresses, among other areas, how to implement security measures in order to prevent, mitigate the chances of, or even recover from ransomware attacks. Not surprisingly, conducting a risk analysis (or risk assessment) is at the core of covered entities and business associates implementing security management processes as required by the HIPAA Security Rule. The Ransomware Guidance further notes that maintaining an overall contingency plan, as required by the Security Rule, that includes disaster recovery planning, emergency operations planning and frequent backups of data can also help covered entities and business associates respond to and recover from malware infections, including ransomware attacks.

In addition, the Ransomware Guidance states that ransomware attacks against a covered entity or business associate can be considered a breach under the HIPAA Rules. Specifically, the Ransomware Guidance provides, “[w]hen electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e. unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.” Therefore, unless it can be shown that there is a low probability that the PHI involved in the ransomware attack has been compromised based on the factors in the Breach Notification Rule, a breach is presumed to have occurred, which would trigger the applicable breach notification provisions.

Even before OCR’s publication of the Ransomware Guidance, in late June the Secretary of HHS sent a letter (“Letter”) to the attention of chief executive officers at health care entities addressing the threat of ransomware. The Secretary attached interagency guidance to the Letter containing best practices and mitigation strategies integral to combatting ransomware incidents.

Ransomware is immediately disruptive to the day-to-day operation of businesses, as seen by its impact earlier this year on health care systems like MedStar in Washington, D.C. and Hollywood Presbyterian Medical Center in Los Angeles (“HPMC”), resulting for example, in HPMC paying 40 Bitcoins (approximately $17,000) to regain control of its computer system. Although the Ransomware Guidance does not address whether payment or ransom should be paid to regain access to computer systems, the interagency guidance attached to the Letter advises against paying hackers because, among other reasons, paying a ransom doesn’t necessarily guarantee that an entity will regain access to its system. The Ransomware Guidance does recommend that an entity victimized by a ransomware attack contact its local FBI or United States Secret Service field office.

For more information about the Ransomware Guidance contact Gregory M. Fliszar, Ryan Blaney, J. Nicole Martin or a member of Cozen O’Connor’s Health Law team.

Days after the publication of the Food and Drug Administration’s controversial final rule regarding e-cigarettes (and other nicotine-delivering products), a company called Nicopure Labs LLC filed a lawsuit challenging it in the U.S. District Court for the District of Columbia.  Nicopure seeks to have the rule vacated and declared unlawful, and has requested a preliminary injunction barring enforcement of the rule and prohibiting the FDA from taking any action under the rule pending resolution of the lawsuit.

The final rule, which will take effect on August 8, 2016 absent an injunction, grants the FDA authority to regulate electronic cigarettes and other vaping products and imposes rules on the industry that many insiders fear will leave it decimated.  These rules include banning sales to anyone younger than 18 years of age, requiring extensive warning labels on packing and — most significantly — subjecting all products (even those currently on the market) to the FDA approval process and the FDA’s reporting and recordkeeping requirements.  The price tag associated with the FDA approval process alone likely will pose an insurmountable barrier for the small vape shops, device manufacturers and e-liquid producers that currently drive most of the industry.

Nicopure, a Florida company that distributes battery-powered vaping devices and manufactures and distributes e-liquid, seeks to have the Final Rule vacated on several grounds.  First, Nicopure alleges that the deeming rule defines “tobacco product” so broadly that it constitutes an unreasonable construction of the authority granted under the Administrative Procedure Act (APA).  Additionally, Nicopure contends that the rule should be vacated as arbitrary and capricious in violation of the APA.  Finally, Nicopure brings a constitutional challenge, arguing that the rule violates the First Amendment by prohibiting manufacturers from “making truthful and nonmisleading statements regarding vaping devices, e-liquids and related products” and from “engaging in other forms of protected expression, including by distributing free samples of vaping devices or e-liquids.”

As of this writing, the FDA has not responded to Nicopure’s complaint, but the case (Nicopure Labs, LLC v. Food and Drug Administration, et al.,1:16-cv-00-878) will no doubt be closely watched by the rule’s proponents and detractors alike.

For more information you can contact Ryan Blaney or another member of Cozen O’Connor’s Health Law team.