News & Insights


December 21, 2020

Health Headlines – December 21, 2020

Deal Reached on End of Year Legislative Package Containing COVID Relief, Surprise Billing, Transparency, FY2021 Appropriations, Extenders 

On December 20, 2020, bipartisan congressional leaders announced they had reached an agreement on a COVID-19 relief package, which would be combined into one end of year legislative package with all 12 Fiscal Year 2021 federal spending bills, a surprise billing agreement, various health care policy provisions, as well as provisions related to the Paycheck Protection Program.  Both the House and Senate are expected to approve the 5,593-page bill on December 21, 2020.

  • COVID-19 Relief – Division M of the end of year package contains a $900 billion fiscal stimulus plus $1.4 trillion in government funding to provide pandemic assistance.  Included in this package will be $166 billion of direct payments to Americans, $120 billion in enhanced unemployment benefits, $284 for the Paycheck Protection Program, as well as industry-specific assistance.  The relief section also includes $69 billion for vaccines, testing and tracing, and healthcare provider support.
  • Surprise Billing – Division BB contains a deal on surprise billing, which includes transparency provisions, as well as certain public health provisions. 
  • Healthcare extenders – Division CC contains a series of provisions extending various healthcare provisions and delaying for three months the 2 percent sequester cuts that were supposed to resume January 21, 2021. 
  • FY2021 Appropriations – Divisions A-L contain all 12 federal spending bills that are included in this end of year package, funding federal agencies through September 30, 2021. 

The bill text can be found here.  

Reporter, Allison Kassir, Washington, D.C., +1 202 626 5600,

OIG Issues Two New FAQs Regarding Enforcement of Arrangements Related to COVID-19 – OIG recently issued two new FAQs and responses regarding application of OIG’s administrative enforcement authorities to arrangements directly connected to the COVID-19 public health emergency.  First, OIG indicated that an arrangement whereby a provider or supplier gives other providers and suppliers free items and services related to COVID-19 vaccine storage, distribution, redistribution, and/or administration would pose a low risk of fraud and abuse.  Second, OIG identified circumstances under which it would consider the provision of free COVID-19 diagnostic testing by a Federally Qualified Health Center (FQHC) to federal healthcare program beneficiaries to present a sufficiently low risk of fraud and abuse.

Free Items and Services Related to COVID-19 Vaccine Storage, Distribution, or Administration

On December 10, 2020, OIG posted an FAQ regarding whether a provider or supplier, such as a hospital, pharmacy, or health system, can provide other providers and suppliers with free items and services related to COVID-19 vaccine storage, distribution, redistribution, and/or administration.  For example, OIG noted that under some state and regional COVID-19 vaccine plans, providers and suppliers assume responsibility for ultracold storage of vaccines, and redistribution of vaccines to other providers and suppliers, some of which may be actual or potential federal health care program referral sources. 

OIG acknowledged that while providing free COVID-19 vaccine-related items and services to other providers and suppliers could raise concerns under the federal anti-kickback statute (AKS), it believed the provision of such items and services would pose a low risk of fraud and abuse under the AKS.  OIG stated that it was unlikely that a provider or supplier would have the requisite intent to induce or reward referrals by furnishing such goods and services.  OIG found the following factors relevant to its assessment: (1) the unique circumstances of the COVID-19 public health emergency; (2) the key role of providers and suppliers under current vaccine distribution plans approved or authorized by the FDA; and (3) that the services and items are furnished consistent with a state or regional vaccine plan submitted to the CDC, or otherwise at the direction of or in coordination with federal, state, or local health officials.

Accordingly, OIG stated that it would not take enforcement action against a provider or supplier that furnishes free or discounted goods or services related to COVID-19 vaccine storage, distribution, redistribution and/or administration.  But, OIG cautioned that the foregoing guidance would not apply to providers, suppliers, or other entities that distribute, redistribute, or administer adulterated, counterfeit, or fraudulent COVID-19 vaccines, or that otherwise attempt to generate federal health care program business by furnishing free items or services in connection with COVID-19 vaccines or other medical countermeasures not approved or authorized by the FDA. 

Free COVID-19 Diagnostic Testing by FQHCs

On December 14, 2020, OIG posted an FAQ regarding whether an FQHC can conduct free COVID-19 diagnostic testing at community health fairs via mobile testing in underserved communities impacted by COVID-19, where such testing has been cleared or approved by the FDA, is subject to an FDA-issued Emergency Use Authorization, or is covered by the Medicare program, including for federal healthcare program beneficiaries.  OIG responded that it previously recognized that FQHCs render care to some of the nation’s most vulnerable individuals and families (including to federal healthcare program beneficiaries) and that the availability of testing may be critical to combatting the current COVID-19 public health emergency. 

Under the facts presented in the FAQ, OIG stated that the provision of free COVID-19 diagnostic testing to federal healthcare program beneficiaries presents a sufficiently low risk of fraud and abuse under the AKS and Beneficiary Inducement CMP because the program includes the following safeguards: (1) free testing would be offered to all patients who request it, regardless of insurance coverage or lack thereof; (2) beneficiaries receiving a positive test would not be referred to the FQHC or any other specific provider; (3) the FQHC would not offer special discounts or any other free or discounted items or services to beneficiaries who received free testing; (4) no payor (including the beneficiary, a commercial insurance company, or a federal health care program) would be billed for or pay any costs associated with the testing services; and (5) the COVID-19 tests are cleared or approved by the FDA, are subject to an FDA-issued Emergency Use Authorization, or are covered by the Medicare program. 

Providers should keep in mind that, unlike OIG’s advisory opinion process, its published FAQs reflect “informal feedback” that does not bind or obligate HHS, DOJ, or any other agency. 

The complete OIG FAQ document, including the two recent FAQs discussed above, can be found here.

Reporter, John Whittaker, Sacramento, +1 916 321 4808,

HHS Office for Civil Rights (OCR) Issues Guidance on HIPAA, Health Information Exchanges, and Disclosures of Protected Health Information for Public Health Purposes– On December 18, 2020, OCR issued guidance addressing how the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule permits a covered entity or its business associate to use health information exchanges (HIEs) to disclose protected health information (PHI) for the public health activities of a public health authority (PHA).

The guidance addresses the following six questions:

  • What is an HIE?
  • When does the HIPAA Privacy Rule permit a covered entity or its business associate to disclose PHI to an HIE for purposes of reporting the PHI to a PHA, without an individual's authorization?
  • Can a covered entity rely on a PHA's request to disclose a summary record to a PHA or HIE as being the minimum necessary PHI needed by the PHA to accomplish the public health purpose of the disclosure?
  • May a covered entity disclose PHI to a PHA through an HIE without receiving a direct request from the PHA?
  • May an HIE provide PHI it has received as a business associate of a covered entity to a PHA for public health purposes without first obtaining permission from the covered entity?
  • Is a covered entity required to provide notice to individuals about its disclosures of PHI to a PHA for public health purposes?  Is an HIE that is a business associate required to provide such notice?

As stated in an HHS press release, OCR’s goal in issuing this guidance is “to highlight how HIPAA supports the use of health information exchanges in sharing health data to improve the public's health, particularly during the COVID-19 public health emergency.”  Related to this goal, there are three key take-aways from this guidance.

First, OCR outlines circumstances when disclosures of PHI are permitted without an individual’s authorization.  Such circumstances include:

  • When the disclosure is required by federal, state, local or other law;
  • When an HIE is a business associate of the covered entity that wishes to provide the information to a public health authority for public health; and
  • When an HIE is acting under a grant of authority or contract with a public health authority for a public health activity.

Second, OCR emphasizes that a covered entity may rely on a PHA’s request to disclose a summary record to a PHA or HIE as being the minimum necessary PHI needed by the PHA to accomplish the public health purpose of the disclosure.  To illustrate this point, OCR provides examples under which it agrees that a covered hospital, laboratory, or other healthcare provider may reasonably rely on a PHA’s representation that its request for PHI is the minimum necessary information for its stated purpose.  Such examples include a situation in which a state health department asks all healthcare providers in the state to report diagnoses of influenza and related patient information using an electronic continuity of care document, a type of summary record that includes patient identity, demographic information, and laboratory test results.

Third, OCR makes clear that during the COVID-19 public health emergency, OCR will not impose penalties on a business associate HIE for violations of certain provisions of the Privacy Rule if the HIE transmits PHI it receives as a covered entity’s business associate to a PHA for the PHA’s public health activities, regardless of whether the HIE’s BAA with the healthcare provider permits such disclosure or the provider otherwise authorizes the disclosure.

The OCR guidance is available here, and the HHS press release is available here.

Reporter, Michelle Huntsman, Houston, +1 713 751 3211,

HHS Begins Distributing Phase 3 Provider Relief Fund Payments Last week, HRSA announced that it completed its review of Provider Relief Fund (PRF) Phase 3 applications and will distribute $24.5 billion––an increase from the originally-planned $20 billion––to over 70,000 providers.  This round of funding was designed to consider the actual revenue losses and expenses experienced by providers that were attributable to COVID-19.  HHS reports this Phase 3 funding will provide up to 88 percent of providers’ reported losses.  

HHS shifted the eligibility requirements for Phase 3; thus, many providers who were not previously eligible for PRF payment, including providers who began practicing in 2020 and an expanded group of behavioral health providers, became eligible.  Furthermore, any providers who had not yet received the baseline payment of 2 percent of annual revenue from patient care were eligible to apply for funding in Phase 3.  Providers who already received the baseline distribution could apply for additional funding based on actual losses.

Over 35,000 Phase 3 applicants will not receive payment either because they experienced no change in revenues or net expenses attributable to COVID-19 or because they have already received funds that equal or exceed reimbursement of 88 percent of reported losses.  Payments to Phase 3 applicants began December 16, 2020, and will continue through January 2021 as application quality reviews and recipient payment setup are completed.  Additional information about the latest distribution is available here and a state-by-state breakdown on the first batch of Phase 3 payments is available here.  Phase 3 eligibility requirements are available here.

Reporter, Alana Broe, Atlanta, +1 678 427 1819,

Also in the News

OCR Issues 2016-2017 HIPAA Industry Report HHS Office of Civil Rights (OCR) released its HIPAA Audits Industry Report for 2016-2017 on December 17, 2020.  The Health Information Technology for Economic and Clinical Health (HITECH) Act requires HHS to periodically audit covered entities and business associates for their compliance with the HIPAA Rules.  For the Industry Report, OCR audited 166 covered entities and 41 business associates.  These organizations have been notified of OCR’s findings. The Audit found that most covered entities met the timeliness requirements for providing breach notification to individuals and satisfied the requirement to prominently post their Notice of Privacy Practices on their website.  However, the Report found that most covered entities failed both to provide all of the required content for breach notification to individuals and all of the required content for a Notice of Privacy Practices.  Furthermore, most of the covered entities did not properly implement the individual right of access requirements and the HIPAA Security Rule requirement for risk analysis and management. The HHS press release is available here.  The 2016-2017 HIPAA Audits Industry Report is available here.

King & Spalding Webinar – Recalculating:  Major Stark, Anti-Kickback and CMP Final Rules Changes are Taking Us in a New Direction


Part One

Thursday, January 7, 2021
1:00 P.M. – 2:30 P.M. ET

Part Two

Thursday, January 14, 2021
1:00 P.M. – 2:30 P.M. ET

Part Three

Thursday, January 21, 2021

1:00 P.M. – 2:00 P.M. ET

CMS and OIG recently finalized the most significant changes to the Stark Law rules, the Anti-Kickback Statute (AKS) safe harbors and the Beneficiary Inducements CMP regulations that the agencies have adopted in recent years. The final rules address value-based arrangements, introduce major changes to other key Stark Law concepts and definitions, address the donation of cybersecurity technology and services, and create flexibility to provide patient incentives in value-based arrangements and with respect to telehealth. Click here to read King & Spalding’s Client Alert highlighting the key proposals.

We are hosting a three-part webinar series to discuss these changes in greater detail, described below. We will cover new flexibilities and limitations created by these final rules, as well as how they may impact enterprise risk and future enforcement actions.

  • In Part One, we will discuss the changes to fundamental Stark Law concepts such as taking into account the volume or value of referrals or other business generated, fair market value, commercial reasonableness and the definition of indirect compensation arrangements. We also will address changes to the definition of “group practice,” writing requirements, changes to several commonly used compensation exceptions and new provisions related to cybersecurity technology and related services.
  • In Part Two, we will discuss changes related to value-based arrangements and patient incentives. This will include the new AKS safe harbors and Stark Law exception for value-based arrangements, modifications to existing AKS safe harbors and Stark Law exceptions to address value-based arrangements, new AKS safe harbors for patient incentives, revisions to the local transportation safe harbor and the warranties safe harbor and a new telehealth exception to the Beneficiary Inducements CMP.
  • In Part Three, we will explore how future enforcement theories and litigation of False Claims Act cases with Relators and the Department of Justice may evolve based primarily on changes to the Stark Law concepts of indirect compensation arrangements, taking into account the volume or value of referrals, fair market value, and commercial reasonableness.

Registration for the event is free, and you do not have to be a client to attend.  Click here to sign up.