US Department of Health and Human Services
Subscribe to US Department of Health and Human Services's Posts

Hospital Settles With OCR for $4.75 Million Over HIPAA Violations

The US Department of Health and Human Services Office for Civil Rights (OCR) recently reached a $4.75 million settlement with a New York City hospital for alleged violations of the Health Insurance Portability and Accountability Act (HIPAA).

According to OCR, in 2013, a former hospital employee sold the electronically protected medical records of 12,517 patients to an identity theft group, and the NYC hospital did not detect or report the breach to OCR until 2015. OCR’s investigation found several potential HIPAA violations, and in addition to the settlement, the hospital agreed to conduct a thorough security risk assessment, revise HIPAA policies, provide additional training to staff, begin recording and tracking all electronic health record (EHR) activity to monitor who is accessing patient information, and create a risk management plan. OCR will also monitor the hospital for two years for compliance with HIPAA.




read more

HHS Publishes New Rights of Conscience Final Rule

On January 11, 2024, the US Department of Health and Human Services (HHS) published its new final rule governing federal healthcare conscience protection statutes. The 2024 final rule, which went into effect March 11, 2024, repeals the majority of the prior final rule from 2019 that was found to be unlawful by three federal courts and reverts to the 2011 framework created by the Obama administration to address rights of conscience.

Read more here.




read more

New Proposed Rules Aim to Enhance Healthcare Accessibility for People With Disabilities

The US Department of Health and Human Services and the US Department of Justice recently published new proposed rules that update and create various requirements under Section 504 of the Rehabilitation Act of 1973 and Title II of the Americans with Disabilities Act of 1990. What are some of the biggest changes?

Read more here.




read more

The MHPAEA Proposed Rule: ‘Meaningful Benefits’ and the ‘Scope of Services’

This post continues our consideration of comments submitted in response to proposed regulations under the Mental Health Parity and Addiction Equity Act (MHPAEA). Our previous MHPAEA content is available here.

Under current law, if a plan provides any mental health or substance use disorder (MH/SUD) benefits in any classification of benefits, benefits for that condition or use disorder must be provided in every classification in which medical/surgical (M/S) benefits are provided. Classifications for this purpose include inpatient, in-network; inpatient, out-of-network; outpatient, in-network; outpatient, out-of-network; emergency care; and prescription drugs. The proposed regulations modify this standard by providing that a plan does not provide benefits for MH/SUD benefits in every classification in which M/S benefits are provided unless the plan provides meaningful benefits for treatment for the condition or disorder in each such classification “as determined in comparison to the benefits provided for medical/surgical conditions in the classification.”

The term “meaningful benefits” is nowhere defined. The regulators nevertheless “recognize that the proposal to require meaningful benefits [ ] is related to scope of services.” “Scope of services” for this purpose generally refers to the types of treatments and treatment settings that are covered by a group health plan or health insurance issuer. The preamble to the proposed regulation invites comments on how the meaningful benefits requirement “would interact with the approach related to scope of services adopted under the 2013 final regulations.” The preamble of the 2013 final regulations addressed an issue characterized as ‘‘scope of services’’ or ‘‘continuum of care’’ but otherwise failed to provide any substance. Two examples from the proposed regulations do, however, give us a sense of what the regulators have in mind.

  • A plan that generally covers treatment for autism spectrum disorder (ASD), a mental health condition, and covers outpatient, out-of-network developmental evaluations for ASD but excludes all other benefits for outpatient treatment for ASD, including applied behavior analysis (ABA) therapy, when provided on an out-of-network basis. (ABA therapy is one of the primary treatments for ASD in children.) The plan generally covers the full range of outpatient treatments and treatment settings for M/S conditions and procedures when provided on an out-of-network basis. The plan in this example violates the applicable parity standards.
  • In another example, a plan generally covers diagnosis and treatment for eating disorders, a mental health condition, but specifically excludes coverage for nutrition counseling to treat eating disorders, including in the outpatient, in-network classification. Nutrition counseling is one of the primary treatments for eating disorders. The plan generally provides benefits for the primary treatments for medical conditions and surgical procedures in the outpatient, in-network classification. The exclusion of coverage for nutrition counseling for eating disorders results in the plan failing to provide meaningful benefits for the treatment of eating disorders in the outpatient, in-network classification, as determined in comparison to the benefits provided for M/S conditions in the classification. Therefore, the plan violates the proposed rules.

Notably, the newly proposed meaningful benefits requirement is separate from, [...]

Continue Reading




read more

The MHPAEA Proposed Rule: Standards of Care and Medical Necessity

Comments submitted in response to the proposed regulations under the Mental Health Parity and Addiction Equity Act (MHPAEA) reflect a broad range of perspectives. Our previous MHPAEA content is available here.

A nontrivial subset of the comments single out a particular nonqualified treatment limitation (NQTL) for special treatment or scrutiny. An example of this trend is found in an October 16, 2023, comment letter submitted by the Legal Action Center. The letter asks the US Departments of Labor, Health and Human Services, and the Treasury (the Departments) to address the rule’s treatment of medical standards of care and medical necessity.

Under the 2013 final MHPAEA regulations, a plan or issuer may not impose an NQTL with respect to mental health/substance use disorder (MH/SUD) benefits in any classification unless the processes, strategies, evidentiary standards or other factors used in applying the NQTL in the classification are comparable to, and are applied no more stringently than, the processes, strategies, evidentiary standards or other factors used in applying the limitation with respect to medical/surgical (M/S) benefits. (Classifications for this purpose include inpatient, in-network; inpatient, out-of-network; outpatient, in-network; outpatient, out-of-network; emergency care; and prescription drugs.)

The proposed regulation defines “strategies” as “practices, methods, or internal metrics that a plan or issuer considers, reviews, or uses to design an NQTL.” Compliance with and deviations from generally accepted standards of care are cited as examples. Strategies for this purpose include “the development of the clinical rationale used in approving or denying benefits,” which is the central purpose of medical necessity determinations.

Medical necessity criteria are considered NQTLs because the criteria have the capacity to limit a patient’s access to or duration of MH/SUD treatment that are not based on the frequency of treatment, number of visits, days of coverage or days in a waiting period (the latter are quantitative treatment limitations). The Legal Action Center claims that plans sometimes develop their own criteria for determining medical necessity for MH/SUD treatment or use criteria developed by nonprofit clinical specialty associations or industry entities, despite the law’s admonition that plans must treat the two comparably. Concerned that under the proposed regulation plans retain significant discretion to adopt overly restrictive medical necessity criteria, the Legal Action Center asks the Departments to revise the definition of “strategies” to include a definition of “generally accepted standards of care” that is tied to criteria and guidelines from the nonprofit clinical association for the relevant specialty.

One way to determine the quality of a medical necessity definition is to look at claims data, which offer a useful test of parity compliance. Current law does not require parity of outcomes, but the proposed regulation does. The proposed rule would require that plans collect and evaluate outcomes data for the express purpose of assessing the impact of the NQTL on access to MH/SUD benefits. Material differences in outcomes are viewed as a strong indicator of noncompliance. (For the network composition NQTL, a material difference in outcomes data [...]

Continue Reading




read more

The Proposed MHPAEA Regulations: A Comment on the Comments

In our last post, we considered some of the comment letters submitted in response to proposed regulations under the Mental Health Parity and Addiction Equity Act (MHPAEA) issued by the US Departments of Labor, Health and Human Services and the Treasury (the Departments). Our previous MHPAEA content is available here.

The comment period for the proposed regulations closed on October 17, 2023. Stakeholders submitted more than 7,500 comments. While we have not read them all, we’ve seen enough to discern the broad contours. There are those in favor, those opposed and those that take some middle ground with recommended modifications. Among the latter, the modifications run the gamut from trivial to substantive. One particular comment generally approving of the rule but urging modifications caught our attention. It was submitted by the Brookings Institution, and it offered the following (at least in our view) useful insights.

Heterogeneity of Mental Health/Substance Use Disorder (MH/SUD) Benefits Versus Medical/Surgical (M/S) Benefits

The comment explains that roughly 41% of M/S visits are for chronic conditions, which are less likely to be subject to concurrent review. In contrast, between 64% and 69% of MH/SUD visits focus on treatment of mood disorders, anxiety disorders, psychoses and personality disorders, i.e., chronic recurring conditions. The comment notes: “Even if all chronic visits in general medical practice were subject to concurrent review, any concurrent review for mental health or substance use disorder services would fail the ‘substantially all’ test.” (Emphasis added)

The comment recommends that the Departments consider a more fine-grained method of comparing the use of nonquantitative treatment limitations (NQTLs) between MH/SUD benefits and those for M/S benefits.

Schematic Representation of NQTLs (and Why This Matters)

The comment expresses concern over the depth of the analysis that is required for each NQTL. Page four provides a useful schematic that fleshes out the particulars. The schematic makes the point that a substantial amount of effort is involved in demonstrating compliance for a single NQTL. The steps include “identifying which services apply [ ], identifying factors considered in the design of the NQTL, identifying sources used to define these factors, and demonstrating that the NQTL is applied no more stringently to mental health and substance use disorder benefits than medical/surgical benefits.”

Moreover, all steps must be repeated for each additional NQTL. While even a casual review of the proposal would lead the reader with the sense that compliance would be a challenge, the use of the visual schematic drives the point home visually.

The Exception for Independent Professional Medical or Clinical Standards

The proposed rule identifies two exceptions to the NQTL requirements, the first of which is based on “Independent Professional Medical or Clinical Standards.” While there is a good deal of disagreement as to its proper scope and even its utility, the Brookings comment worries that “the language in the proposed rule also opens the door to regulatory gaming because it is overly broad.” According to the comment: “If the [...]

Continue Reading




read more

HHS Proposes Updates to Disability Nondiscrimination Regulations for First Time in Nearly 50 Years

Discrimination on the basis of disability has contributed to significant disparities in healthcare and child welfare. To address these disparities, the US Department of Health and Human Services (HHS) recently proposed updated regulations implementing Section 504 of the Rehabilitation Act of 1973 to prohibit discrimination on the basis of disability in programs or activities that receive HHS funds. Although most of the revisions align with expectations imposed on stakeholders through other federal laws, some proposed changes are unique to HHS programs, including regulations impacting medical treatment, value assessments, medical diagnostic equipment, digital media and child welfare programs.

Access full article.




read more

Treasury, DOL and HHS Issue Landmark Mental Health Parity Proposed Rule

The US Departments of the Treasury, Labor, and Health and Human Services (the Departments) recently issued much-anticipated proposed regulations under the Mental Health Parity and Addiction Equity Act (MHPAEA) to better ensure that health plans allow access to mental health or substance use disorder benefits as easily as medical or surgical benefits. The proposed regulations reiterate the Departments’ focus on mental health parity and underscore the importance of compliance for health plan sponsors. They also come after many plans have been subject to audit by the Departments which focused heavily on MHPAEA compliance, leaving plan sponsors frustrated at the lack of guidance and inconsistent application of MHPAEA.

Read more here.




read more

How Dobbs Has Changed the Data Privacy Landscape

Companies are taking a fresh look at their privacy policies in the wake of Dobbs v. Jackson Women’s Health Organization. According to this Law360 article, policymakers are putting more pressure on companies to tighten their restrictions on collecting and disclosing personal health and location data.

Access the article.




read more

HIPAA Compliance 101: Lessons from a Recent OCR Settlement

The US Department of Health and Human Services Office for Civil Rights (OCR) recently announced a settlement with a community hospital resolving an investigation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules. While the settlement involved a medical provider, it offers some important lessons for other HIPAA-covered entities, including employer-sponsored group health plans.

The settlement involved impermissible data breaches by non-medical staff who, allegedly, used their login credentials to access patient medical records maintained in the hospital’s electronic medical record system without a job-related purpose. The lesson here is straightforward: all HIPAA-covered entities must “protect the privacy and security of health information.”

The HIPAA privacy and security rules are complex, and full compliance requires substantial resources that are, as a practical matter, beyond the reach of many organizations. While OCR routinely refers to these rules as “scalable,” that claim is difficult to square with our experience. Full compliance with the particulars of the rule is costly and time-consuming, and it requires no shortage of expertise. Thankfully, in practice, OCR tends to focus its investigative resources on certain features of these rules. These features include the following items which covered entities must perform to comply:

  • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic protected health information;
  • Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis;
  • Develop, maintain and revise, as necessary, written HIPAA policies and procedures;
  • Enhance HIPAA and security training programs to provide workforce training on the updated HIPAA policies and procedures; and
  • Review relationships with vendors and third-party service providers to identify business associates and obtain business associate agreements with business associates if not already in place.

Where group health plans are concerned, fully insured plans routinely rely on their carriers for HIPAA compliance, which requires that plan sponsors get only “summary” health information at renewal. This option is not available to self-funded plans, however, even those that contract with a carrier for administrative services. Employers in this latter category should be reasonably confident of surviving an OCR audit or investigation only, at a minimum, by taking the actions listed above.




read more

BLOG EDITORS

STAY CONNECTED

TOPICS

ARCHIVES

Top ranked chambers 2022
US leading firm 2022