Health Law Advisor

On March 18, 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued updated guidance regarding the use of online tracking technologies by entities and business associates subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

The updated guidance replaced OCR’s original guidance issued in December 2022, both of which warn companies subject to HIPAA, Covered Entities and their Business Associates (collectively “Regulated Entities”), that use of online tracking technologies, such as cookies and pixels, may result in the impermissible disclosure of Protected Health Information (“PHI”) to third parties in violation of HIPAA, including “individually identifiable health information” (“IIHI”). The guidance explained that covered entities’ HIPAA obligations are triggered where an online tracking technology connects an individual’s IP address with a visit to an unauthenticated public webpage addressing specific health conditions or health care providers (the “Proscribed Combination”).

Stakeholders are continuing to analyze the implications of the mammoth proposed rule on “Medicare and Medicaid Programs: [Calendar Year (CY)] 2025 Payment Policies under the Physician Fee Schedule and Other Changes to Part B Payment and Coverage Policies; Medicare Shared Savings Program Requirements; Medicare Prescription Drug Inflation Rebate Program; and Medicare Overpayments” (the “CY 2025 PFS Proposed Rule”).

While it’s not easy to reach the end of the title, let alone the 1053-page rule, False Claims Act (FCA) attorneys should note with interest that last topic—Medicare overpayments. As the CY 2025 PFS Proposed Rule would, if finalized, change Medicare regulations regarding requirements for reporting and returning Parts A and B overpayments, stakeholders and their counsel need to understand their obligations.

Healthcare organizations continue to be prime targets of cyberattacks. It is well-established that cyberattacks can lead to financial loss, reputational damage, and, in some cases, risks to patient care and safety. The recent and well-publicized cybersecurity incident affecting Change Healthcare further evidences these risks. As a result of the widespread and disruptive impact of this most recent cyberattack on the healthcare ecosystem, on March 5, 2024 the U.S. Department of Human Services (HHS) issued a public statement and has also announced that it opened an ...

On December 1, 2022, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) published a bulletin warning that commonly used website technologies, including cookies, pixels, and session replay, may result in the impermissible disclosure of Protected Health Information (“PHI”) to third parties in violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The bulletin advises that “[r]egulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of Protected Health Information (“PHI”) to tracking technology vendors or any other violations of the HIPAA Rules.” The bulletin is issued amidst a wider national and international privacy landscape that is increasingly focused on regulating the collection and use of personal information through web-based technologies and software that may not be readily apparent to the user.

On April 10, 2020, the U.S. Department of Health and Human Services (“HHS”) provided additional details regarding its plan to provide billions in relief to providers in an effort to off-set healthcare-related expenses resulting from the Coronavirus (“COVID-19”) outbreak.

Passed into law on March 27, 2020, the Coronavirus Aid, Relief and Economic Security Act, also called the “CARES Act”, provided $100 billion in funding for the Public Health and Social Services Emergency Fund (the “Fund”). The Fund is a pre-existing resource overseen by the Office of Financial Planning & Analysis within HHS. The $100 billion added via the CARES Act was made available to qualifying healthcare providers to reimburse them for “health care related expenses or lost revenues that are attributable to [COVID-19]”. The CARES Act stipulated that the $100 billion would be made available to public entities, Medicare or Medicaid enrolled suppliers and providers and other entities as may be further specified in regulations or guidance, provided that any such provider must “provide diagnoses, testing or care for individuals with possible or actual cases of COVID-19”. Monies received from the Fund may not be used to cover expenses that have already been reimbursed through other sources or that other sources are obligated to reimburse. Little other detail regarding the funding or mechanism for disbursal was provided in the CARES Act itself.

In a new issuance on its website, found here, HHS provided additional details on the program. HHS noted that $30 billion out of the appropriated $100 billion will be distributed immediately via direct deposit, starting April 10, 2020. Further, HHS clarified that the money is “payment” and not a loan, and thus will not need to be repaid. The initial $30 billion tranche is being made available only to providers that received Medicare fee-for-service payments in 2019. The payments are being distributed according to the Taxpayer Identification Number (TIN) of the billing organization.

Numerous media reports concern the shortage of medical resources, personal protective equipment, and qualified professionals during the growing COVID-19 medical emergency.  As a result, providers may ultimately have to make choices regarding resource allocation among hospitalized patients suffering from COVID-19.  Disability rights and other advocacy groups have expressed concern about resource allocation from the point of view of how individuals with pre-existing disabilities and other individuals may have been treated in the past by the medical system.  While bioethicists may work to address the ethical issues involved with treating patients under conditions of resource scarcity, providers rightfully may worry about potential legal liability in distributing scarce resources among those in need.  While both the Trump Administration and Congress have acted to allay some of these worries, concerns remain for both individual practitioners and the facilities with which they work.