Health Law Advisor

The past several years have proven difficult for healthcare entities due to increasing cybersecurity threats, breaches and regulatory enforcement. Following these trends, on April 6, 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a Request for Information (RFI) soliciting public comment on how regulated entities are voluntarily implementing security practices under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) and also seeking public input on sharing funds collected through enforcement with individuals who are harmed by Health Insurance Portability and Accountability Act of 1996 (HIPAA) rule violations.

On April 7, 2022, the Centers for Medicare and Medicaid Services (CMS) issued guidance terminating numerous blanket waivers applicable to skilled nursing facilities (SNFs), inpatient hospices, intermediate care facilities for individuals with intellectual disabilities (ICF/IIDs), and end stage renal disease (ESRD) facilities.  The amount of blanket waivers ending is notable; while there have been terminations of waivers previously, these were usually limited to a single waiver.

CMS expressed concern “about how residents’ health and safety has been impacted by the regulations that have been waived, and the length of time for which they have been waived.” CMS reported that findings from onsite surveys at these facilities “revealed significant concerns with resident care that are unrelated to infection control.” Accordingly, CMS is acting to remove certain operational flexibilities not directly related to infection control.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently submitted two reports to Congress setting forth the HIPAA breaches and complaints reported to OCR during calendar year 2020 as well as the enforcement actions taken by OCR in response to those reports. HIPAA covered entities should be aware of the trends identified in these reports and should examine their own compliance in these areas.

On March 28, 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of two additional cases as part of OCR’s HIPAA Right of Access Initiative.

This month’s post focuses on how timely FDA decisions are in categorizing new diagnostics under the Clinical Laboratory Improvements Amendments of 1988 (CLIA). The answer is that, on average, the agency does okay, but they also sometimes may miss their own guideline by a wide margin.  I use the word “may” there because the FDA data set is inadequate to support a firm conclusion.  I’ll explain more about that below, but this is another case of FDA releasing incomplete data that frustrates data analytics.

In this episode of the Diagnosing Health Care Podcast:  How does the U.S. Department of Justice (DOJ) intend to leverage its enforcement authority under the False Claims Act to advance DOJ’s recently announced Civil Cyber-Fraud Initiative?

On March 22, 2022, the Occupational Safety and Health Administration (OSHA) announced that it had partially reopened the comment period for its permanent standard to protect health care and health care support workers from exposure to COVID-19 in the workplace.

On March 15, 2022, President Biden signed into law the 2022 Consolidated Appropriations Act containing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Cyber Incident Reporting Act”). While President Biden’s remarks highlighted the $13.6 billion in funding “to address Russia’s invasion of Ukraine and the impact on surrounding countries,” the 2022 Consolidated Appropriations Act contained numerous other laws, including the Cyber Incident Reporting Act, which should not be overlooked. The Cyber Incident Reporting Act puts in motion important new cybersecurity reporting requirements that will likely apply to businesses in almost every major sector of the economy, including health care, financial services, energy, transportation and commercial facilities. Critical infrastructure entities should monitor the upcoming rule-making by the Cybersecurity and Infrastructure Security Agency (“CISA”), as the final regulations will clarify the scope and application of the new law.

In this episode of the Diagnosing Health Care Podcast:  The interoperability and information-blocking rules have imposed new regulations and requirements on health information exchanges (HIEs). How are HIEs responding to these new regulations in a space they have been in for decades? In this episode of our special series on interoperability, hear from Dan Paoletti, CEO of the Ohio Health Information Partnership.

From our Thought Leaders in Health Law video series:  The U.S. Department of Justice (DOJ) collected $5.6 billion in False Claims Act recoveries in fiscal year (FY) 2021.

That is over twice as much as 2020, and a record 90 percent of the total was collected from the health care and life sciences industries.