On February 23, 2022, the U.S. District Court for the Eastern District of Texas gutted portions of the interim final rule affecting the independent dispute resolution (“IDR”) process of the No Surprises Act (the “Act”). Tex. Med. Ass’n v. U.S. Dep’t of Health & Human Servs., No. 6:21-cv-425-JDK, 2022 WL 542879, at *15 (E.D. Tex. Feb. 23, 2022). In particular, the Court found that the rule did not square with the plain language of the Act, which mandates that the IDR process equally consider a number of factors in deciding payments for out-of-network (“OON”) services. Id. at *7–9. Instead, the rule substantially favored one factor over the others. In further rejecting the IDR-related portions of the rule, the Court found that the government had failed to provide an opportunity for notice and comment in advance of publishing the interim final rule. Id. at *10–14. As a result, the Court granted the plaintiffs’ motion for summary judgment, denied the defendants’ cross-motion for summary judgment, and severed portions of the rule. Id. at *15.Continue reading…
On Thursday, September 30, 2021, The United States departments of Health and Human Services (“HHS”), Labor and Treasury released an interim final rule (“Rule”) that completes most of the regulatory framework under the federal No Surprises Act (“Act”). The Act largely bars balance billing of patients who receive emergency services or hospital-based provider services (at an in-network facility) on an out-of-network basis. This is the second part of the agencies’ rulemaking under the Act. The first part was released in July 2021. This second part deals primarily with the independent dispute resolution (“IDR”) process, which will determine the “appropriate out of network rate” to be paid to the provider by the health plan for a particular emergency or hospital-based provider service and a portion of the provider price transparency requirements under the Act.Continue reading…
As we indicated in last week’s blog post , the D.C. Circuit Court’s refusal to uphold HHS’ pharmaceutical price disclosure rule (“RX Rule”) was not a predictor of how the trial court might rule in the closely watched challenge to HHS’ hospital price transparency rule (“Hospital Rule”). In a June 23, 2020 ruling on cross motions for summary judgment, American Hospital Association, et. al. v. Azar, D.C. District Court Judge, Carl Nichols, ruled that HHS did not overstep its authority under Section 2718 of the Public Health Services Act (“Section 2718”) by requiring hospitals to publish their “gross charges”, payer-specific negotiated rates, discounted cash prices, and de-identified minimum and maximum negotiated charges.Continue reading…
On June 16, the D.C. Circuit Court struck down the Centers for Medicare and Medicaid Services’ (“CMS”) rule issued in May 2019 requiring pharmaceutical companies to disclose the wholesale acquisition cost of drugs over $35 in their direct-to-consumer television advertisements (“RX Rule”). Similar to the RX Rule, the Hospital Price Transparency Rule, issued on November 27, 2019, requires hospitals to publish, among other information, payor-specific rates for certain services on their websites beginning on Jan 1, 2021 (“Hospital Rule”). Both rules stem from the Trump administration’s stated efforts to improve the nation’s health care quality and transparency, and both were met with swift legal opposition. The Hospital Rule litigation, American Hospital Association et al v. Azar, is currently before the U.S. District Court for the District of Columbia. While the D.C. Circuit Court’s RX Rule decision could be viewed as a predictor of the outcome of the Hospital Rule litigation, the alleged statutory authority underlying the Hospital Rule is different than the statutory authority underlying the RX Rule. Therefore, the Circuit Court’s ruling in the RX Rule litigation may not be an accurate barometer of the likely outcome in the Hospital Rule litigation.Continue reading…
As another mark of progress in the fight against opioid addiction, Governor Wolf signed Senate Bill 572 (the “Act”) into law on November 27, 2019, requiring prescribing providers (referred to as “Prescribers”) to take several additional steps before issuing a prescription for an opioid in certain treatment situations. Specifically, the Act’s requirements kick in before a Prescriber can issue a patient the first prescription in a single course of treatment for chronic pain with a controlled substance containing an opioid.Continue reading…
Google has confirmed that it is working with Ascension, one of the nation’s largest health systems in a project that will involve the health data of millions of Americans. Google and Ascension have partnered in a project to store and analyze patient data with the intended goal of using Google’s artificial intelligence tools to enhance patient care and medical decision making. As a result of this partnership, it has been estimated that over 100 Google employees may have access to sensitive patient data such as name, birth date, diagnoses and treatments. Such access by Google to millions of patient’s health data has resulted in some concern over how the data will be protected, including a recently announced inquiry into the relationship by the U.S. Department of Health and Human Services’ Office of Civil Rights (“OCR”). OCR has stated that it “would like to learn more information about this mass collection of individuals’ medical records with respect to the implication for patient privacy under HIPAA.” Ascension has said that the project with Google has complied with the law and followed the healthcare organization’s “strict requirements for data handling.”
We will continue to follow this important story. Several other tech companies continue to try to gain a bigger share of America’s health care market, which will all have to be balanced with patient data privacy and security concerns.
CMS today issued its Price Transparency Requirements for Hospitals Final Rule, which will go into effect on January 1, 2021. (CMS had initially proposed that it go into effect January 1, 2020, but agreed that that deadline was too “challenging”). Hospitals will be required to post on a public website, among other things, the “payer-specific negotiated charges” for each payer and plan. These negotiated rates have typically been subject to lock and key treatment through confidentiality agreements. Noncompliance with the rules may result in corrective action plans (CAPs), civil monetary penalties (CMPs) of $300 per day (indexed to an inflation factor), and a public notice of the CMP on a CMS website. Under the rules, CMS can issue “subsequent” CMPs for continued noncompliance. A link to the Final Rule is here: https://www.hhs.gov/sites/default/files/cms-1717-f2.pdf.
The Trump Administration has also issued a proposed “Transparency in Coverage” rule that would require plans to give consumers access to a tool providing an estimate of their cost-sharing liability for all covered healthcare items and services. It would also require plans to list on a website their negotiated rates for in-network providers and the allowed amounts paid for out-of-network providers. A link to the Proposed Rule is here: https://www.hhs.gov/sites/default/files/cms-9915-p.pdf.
We will continue to analyze and monitor these rules. Stay tuned.
cybersecurity, Federal Trade Commission, FTC, Privacy, Uncategorized / No Comments
On July 2, 2018, the Federal Trade Commission (FTC) issued a number of press releases and a proposed settlement with California-based employee training company ReadyTech Corporation. In announcing the settlement, FTC Chairman Joe Simons said, “Today’s settlement demonstrates the FTC’s continuing commitment to vigorous enforcement of the Privacy Shield.” According to the FTC, this is the 4th case enforcing the Privacy Shield and 47th case enforcing international privacy frameworks such as the Safe Harbor framework and the Asia Pacific Economic Cooperation Cross Border Privacy Rules.
The ReadyTech settlement should be a warning for other companies that make representations in their Privacy Policies about the Privacy Shield, GDPR, CCPA and other data security and privacy frameworks. By way of background, the Privacy Shield framework allows companies to transfer personal data lawfully from the EU to the United States. To join the Privacy Shield framework, a company must self-certify to the U.S. Department of Commerce that it complies with the Privacy Shield Principles and related requirements that have been deemed to meet the EU’s adequacy standard. A company, like ReadyTech, that claims it has self-certified to the Privacy Shield Principles, but failed to self-certify to the U.S. Department of Commerce, may be subject to an enforcement action by the FTC. Continue reading…
Hospital, Mental Health, Uncategorized / No Comments
Hospitals that have emergency departments should call upon their “available resources” to screen and stabilize patients with mental health emergencies as required by the Emergency Medical Treatment and Labor Act (“EMTALA”) according to recent statements by an analyst for CMS and an attorney with the Office of Inspector General (“OIG”) for the Department of Health and Human Services.
While speaking at the American College of Emergency Physicians annual meeting in Chicago, the CMS representative noted that EMTALA requires hospitals with emergency departments to provide a medical screening within the capabilities of the hospital by a person who is qualified to do the examination, which, if the hospital offers psychiatric services, would include a psychiatrist. While the initial screening must be done with medical personnel such as a psychiatrist, the CMS official stated that other mental health professionals may be qualified to assist in those examinations.
The White House recently released a guidance document for those in the precision medicine community to help ensure that participants’ data and resources remain secure. The document, titled “Precision Medicine Initiative: Data Security Policy Principles and Framework,” is meant to offer “security policy principles and a framework to guide decision-making by organizations conducting or participating in precision medicine activities” and is the result of a collaborative, interagency process featuring roundtable discussions with various security experts as well as a review of existing data security resources. Federal PMI agencies already have committed to integrating the framework into all PMI activities.
But the document is meant only to be a guideline – not a one-size-fits-all solution. It notes that those in the PMI community must constantly strive to use current best practices and should conduct their own “comprehensive risk assessment to identify specific security requirements and establish processes to continuously review and make improvements.”
The guidance emphasizes some overarching principles that anyone dealing with sensitive data should bear in mind when developing and implementing a data security plan:
- Keep pace with changing technology and new security threats.
- Tailor your data security plan to your unique circumstances.
- Be specific – think about your risks and put in writing how you will neutralize them.
- Have an independent third party review your plan.
- Without compromising security, be transparent about your plan to build trust among participants.
The document also offers specific suggestions with respect to identity proofing, user credentials and authentication, encryption and physical security, audits to detect anomalous activity, and incident response, among other topics. The White House also emphasizes the importance of ongoing participant education, as well as role-specific training for those who use PMI data.
On balance, the White House’s message to the PMI community is clear: Think hard about data security, think often about data security, and act vigilantly.
The guidance is available here: www.whitehouse.gov/sites/whitehouse.gov/files/documents/PMI_Security_Principles_Framework_v2.pdf.
For more information you can contact Ryan P. Blaney or another member of Cozen O’Connor’s Health Law team.