News & Insights


December 5, 2022

Health Headlines – December 5, 2022

Group of Agency Inspectors General Publishes Report on Program Integrity Risks Across Certain Health Care Programs During the COVID-19 Pandemic

On December 1, 2022, the Pandemic Response Accountability Committee (PRAC) Health Care Subgroup published a report about the use of telehealth in selected health care programs across six federal agencies during the first year of the COVID-19 pandemic. The report identifies several program integrity risks associated with billing for telehealth services that were similar across multiple health care programs, such as risks involving inappropriate billing for the highest, most expensive level of telehealth services and risks related to duplicate claims and high-volume billing.

The PRAC Health Care Subgroup consists of the offices of the inspectors general of six agencies responsible for the oversight of agencies that provide or are involved with the provision of health care services. These agencies are the Department of Health and Human Services, the Department of Defense, the Office of Personnel Management, the Department of Veterans Affairs, the Department of Labor, and the Department of Justice.

The PRAC Health Care Subgroup developed the report to inform policymakers and stakeholders, such as Congress, Federal and State agencies, and health care organizations, with information about the nature of telehealth and to provide insight into the program integrity risks associated with telehealth. The selected programs include Medicare, TRICARE, the Federal Employees Health Benefits Program, the Veterans Health Administration, the Office of Workers’ Compensation Programs, and the Federal Bureau of Prisons and U.S. Marshals Service.

The report identifies several program integrity risks associated with billing of telehealth services, including:

  • “upcoding” telehealth visits by billing for visits longer than they lasted, or providing basic services and then billing for more complex visits;

  • duplicate billing of the same service, which may indicate that providers are intentionally billing twice to increase their payments;

  • billing for services that were not provided or not medically necessary;

  • billing for services that are seemingly not appropriate for telehealth or ineligible for telehealth; and

  • ordering unnecessary durable medical equipment, supplies, or laboratory tests associated with a telehealth visit.

In addition to identifying program integrity risks, some of the inspector general offices also identified specific providers with telehealth billing practices that raise concern and may indicate fraud, waste and abuse. While the report does not identify suspect providers by name, there is reason to believe that such providers may face further scrutiny. For example, in a related report issued in September, HHS OIG referred to CMS the telehealth providers it identified as posing a high risk to Medicare and recommended that CMS take appropriate action. That report is available here.

The inspector general offices also found limited information about the impact of telehealth on quality of care, which has implications for the care provided to individuals and program integrity. Various inspector general offices noted the need for studies, assessments, and more robust data to evaluate the effect of telehealth on quality of care.

Additionally, most inspector general offices found the programs they oversee lack some data necessary for oversight of billing for telehealth services. They noted that (i) DOJ lacks comprehensive data on telehealth services, (ii) Medicare lacks data on some providers who render telehealth services, and (iii) Department of Defense’s oversight data does not always distinguish telehealth from in-person care.

The report also identifies potential safeguards that could strengthen oversight in the selected programs. Although the inspector general offices acknowledge that the selected programs have some safeguards in place to oversee telehealth services, they conclude that additional safeguards could strengthen program integrity. For example, the inspector general offices stated that programs could:

  • conduct additional monitoring of telehealth services;

  • develop additional billing controls to prevent inappropriate payments for telehealth services;

  • conduct efforts to educate providers and individuals about telehealth services;

  • collect additional data related to telehealth services; and

  • collect and review information about the impact of telehealth services on quality of care.

The PRAC Health Care Subgroup report is available here.

Reporter, Dennis Mkrtchian, Austin, +1 512 457 2068,

HRSA Proposes Changes to ADR Procedures for 340B Disputes

On November 29, 2022, the Health Resources and Services Administration (HRSA) issued a proposed rule (Proposed Rule) to revise the alternative dispute resolution (ADR) procedures for disputes arising under the 340B drug pricing program between covered entities and manufacturers. HRSA says these proposals are designed to address the policy and operational challenges posed by the existing 340B ADR procedures. The proposed changes would, among other things, informalize the ADR procedures to improve accessibility and efficiency and revise the composition of the ADR panels. 

The Affordable Care Act directed HHS to implement a binding ADR process to resolve disputes between covered entities and manufacturers arising under the 340B statute. In accordance with that directive, HHS adopted ADR procedures for 340B disputes in December 2020. Those procedures, which have been in effect since January 13, 2021, have evidently proven difficult to implement. HRSA says in the Proposed Rule that it has “encountered policy and operational challenges with implementation” of the ADR procedures adopted in 2020. Therefore, HRSA is proposing to revisit the ADR procedures to address and correct for those challenges. 

First, HRSA proposes to eliminate the requirement that the ADR process conform to the Federal Rules of Civil Procedure (FRCP) and the Federal Rules of Evidence (FRE). According to HRSA, relying on the FRE and FRCP is likely to introduce unwarranted delays in the decision-making process and present operational difficulties because “it is challenging to assign ADR panel members with expertise in the FRE or FRCP.” HRSA also suggests that the existing rule makes ADR less accessible because covered entities with limited resources may not be able to afford counsel familiar with the FRCP and FRE.

Second, HRSA also proposes changing the composition of the ADR panels. Under the existing rules, panelists can be employees of HRSA, CMS or the HHS Office of General Counsel. HRSA believes that panel members “should have specific knowledge of the authorizing statute and the operational processes of the 340B Program.” Accordingly, the agency proposes that ADR panels consist entirely of staff from the Office of Pharmacy Affairs (OPA) who, according to HRSA are best suited to resolve 340B disputes. Under this proposal, HHS would appoint a roster of at least ten eligible OPA staff members. The OPA director would select three members from the roster to form ADR panels to facilitate review of ADR claims, subject to review for conflicts of interest. 

Third, HRSA proposes requiring parties to engage in good faith efforts to resolve disputes prior to initiating the ADR process. Covered entities and manufacturers would be required, at the time of filing a request for ADR, to present a written summary of their efforts to resolve the dispute in good faith. Documented good faith efforts would include attempts to enter into discussions to resolve the disputes or communication records between the covered entity and manufacturer.

Fourth, HRSA is also proposing to define the specific categories of disputes that can be resolved in ADR to better align with the statute. According to the agency, the 340B statute only authorizes ADR to adjudicate claims by covered entities that they have been overcharged or claims by manufacturers that a covered entity has violated the prohibitions against diversion or duplicate discounts. The revised regulations would reflect HRSA’s interpretation of the statutory limitations on ADR review. 

Fifth, HRSA proposes allowing parties dissatisfied with an ADR decision to request reconsideration. Parties seeking reconsideration would be required to submit requests in writing within 20 business days after receiving the ADR panel’s decision. Reconsideration requests would be decided by the HRSA Administrator. 

In addition to the proposals mentioned above, HRSA is also proposing the following changes to the 340B ADR procedures:

  • The ADR panel will suspend review of any claim if the specific issue in dispute is the same as, or similar to, an issue that is pending in Federal Court;

  • Parties will have three years from the date of the alleged violation to file a request for ADR, after which time the claim is barred;

  • Disputes will no longer be subject to a $25,000 materiality threshold; and

  • The new procedures would automatically apply to any claims raised under the existing procedures.

A copy of the Proposed Rule is available here. Comments to the Proposed Rule must be submitted by January 30, 2023.

Reporter, Alek Pivec, Washington D.C., +1 202 626 2914,

OCR Publishes Bulletin on HIPAA’s Requirements for Online Tracking Technology

On December 1, 2022, the HHS Office for Civil Rights (OCR) issued a bulletin on the requirements imposed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for online tracking technologies regarding protecting the privacy and security of health information. This bulletin explains how HIPAA rules apply to regulated entities’ use of online tracking technologies on their webpages and mobile apps.

Online tracking technologies consist of code or scripts that share information about how a visitor interacts with that webpage or mobile app. Common tracking technologies on websites include cookies, tracking pixels, and other web beacons, while mobile apps often use tracking technology embedded in the app to share user information. Tracking user information can help improve the patient experience and lead to more relevant information being received by those who want it, but disclosure of this information carries risk. While some website or mobile app creators may write their own tracking technologies, tracking technologies are developed most commonly by third parties such as Meta/Facebook and Google.

Healthcare providers risk running afoul of HIPAA rules if they disclose protected health information (PHI) to third party tracking technology vendors. OCR’s bulletin explains that individually identifiable health information (IIHI) includes an individual’s medical record number, home address, email address, dates of appointments, IP address or geographic location, medical device IDs, or unique identifying codes. This information is generally considered PHI, even when the IP address or geographic location isn’t connected to specific healthcare services or billing information. The bulletin notes that information is considered PHI even when the website visitor does not have an existing relationship with the provider because when the tracking technology collects a visitor’s IIHI there is an indication that the visitor either has or will receive healthcare services from that provider.

The bulletin describes HIPAA’s application to tracking technology on user-authenticated pages (where a user must log in, such as a patient portal), tracking non-authenticated pages (where a user does not have to log in), and on mobile apps. On user-authenticated pages, the provider must ensure that if there are any tracking technologies they only use and disclose PHI in compliance with the HIPAA Privacy Rule and Security Rule. The tracking technology vendor is a business associate, and a business associate agreement (BAA) is required when the vendor regularly receives, maintains, or transmits PHI on behalf of the provider for a covered function (e.g., health care operations) or provides services that involve PHI disclosure. 

For non-authenticated webpages, if tracking technologies on these pages have access to PHI, then HIPAA rules apply. For example, if tracking technologies collect a person’s email address or IP address when she visits her provider’s webpage and searches for available appointments, this information is PHI and protected by HIPAA. HIPAA rules also apply to any PHI collected through a provider’s mobile app, such as a person tracking her menstrual cycle, body temperature, or prescription information. Mobile app PHI includes information typed or uploaded into the app, information provided by the app user’s device, such as fingerprints, network location, geolocation, device ID, or advertising ID. However, HIPAA does not protect information entered into mobile apps that are offered by an entity that is not regulated by HIPAA.

The OCR bulletin lists additional considerations for regulated entities using tracking technologies. They must ensure that any disclosures of PHI to tracking technology vendors are permitted by the HIPAA Privacy Rule. Informing an individual in a privacy policy or in terms and conditions of PHI disclosures to a tracking technology vendor is not enough. Similarly, website banners that ask visitors to accept or reject the website’s use of tracking technologies are not a valid HIPAA authorization, nor would it be sufficient for a tracking technology vendor to agree to remove PHI from the information it receives or de-identify the PHI. If a provider discloses any PHI to a vendor without individuals’ authorization, then the vendor must sign a BAA and there must be an applicable Privacy Rule permission. The OCR bulletin also lists considerations for establishing a BAA with a tracking technology vendor that meets the definition of “business associate.”

The full text of the HHS OCR bulletin, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates,” is available here.

Reporter, Kasey Ashford, Washington D.C., +1 202 626 2906,

Texas Medical Association Files Third Challenge to No Surprises Act

On November 30, 2022, the Texas Medical Association (TMA) filed a third lawsuit challenging the regulations implementing the No Surprises Act (NSA). TMA’s latest suit before the United States District Court for the Eastern District of Texas challenges the portions of the first set of interim final rules (the First IFR) that provide guidance on how to calculate the Qualifying Payment Amount (QPA). TMA argues that the regulations artificially deflate the QPA, which consequently skews payor–provider disputes and negotiations against providers.


In July 2021, the Departments of Health and Human Services, Labor, and the Treasury (the Departments) issued the First IFR implementing the NSA. Among other topics, the First IFR provided guidance on the calculation of the patient’s cost-sharing amount and the QPA. On September 30, 2021, the Departments issued the second set of implementing regulations (the Second IFR) which, in part, provided significant additional detail regarding the IDR process, but also made the QPA the presumptive out-of-network rate, thereby downgrading the other factors that Congress specified and permitted for consideration. A Federal court twice held that the Departments’ elevation of the QPA to the presumptive out-of-network rate in the IDR process violated the text of the NSA. King & Spalding reported on the these successful challenges to the Second IFR in previous issues of Health Headlines (available here and here).

In response, the Departments issued new guidance implementing the IDR process in the form of a final rulemaking in August 2022 (the Final Rule), and while the Departments did not make the QPA the presumptive rate, they continued to give the QPA elevated importance in the determination of the out-of-network rate in the IDR process. At the same time, the Departments also issued a set of FAQs addressing a number of topics, including the calculation of the QPA. TMA has challenged these aspects of the Final Rule, arguing that they suffer from the same flaws as the Second IFR. That challenge is currently pending in the United States District Court for the Eastern District of Texas with a hearing scheduled for December 20, 2022.

The QPA Challenge

TMA’s latest challenge focuses on the portions of the First IFR that provided the method for calculating the QPA. TMA argues that the First IFR conflicts with the text of the NSA and depresses the QPA in four ways:

  1. Ghost Rates. The rule allows the plans to include in the QPA “ghost rates.” By this, TMA means that plans may include in their calculation of the QPA contracted rates for services that a contracting provider or facility never expects to provide. Because the providers do not provide such a service, the provider has no incentive to negotiate a fair and reasonable price, and these rates are typically lower than rates for services that are actually provided, sometimes as low as $0. The Departments clarified in the August 2022 FAQs that $0 rates are not to be included in the QPA, but that non-$0 rates (such as a $1 ghost rate) should be included. TMA argues that this contradicts the text of the NSA that states the QPA should include rates for services “provided by a provider,” and improperly drives down the QPA. 

  2. Specialty Rates. The rule permits plans to include the rates of physicians that are not in the same or similar specialty as the physician involved in the payment dispute in some instances. The First IFR instructs insurers to only calculate separate rates where the insurer otherwise varies its contracted rates based on provider specialty. In the August 2022 FAQs, the Departments clarified that separate rates for specialty need only be calculated if there is a “material difference” in the contracted rates between providers of different specialties. TMA argues that this rule conflicts with the NSA’s directive that the QPA alwaysbe calculated based on the rates of providers in the same or similar specialty.

  3. Impact of Adjustments. The First IFR permits insurers to use an amount less than the total payment amount if a contracted rate includes risk sharing, bonus, penalty, or other incentive-based and retrospective payments or payment adjustments. Even though these adjustments and retrospective payments are included in the total amount paid to a provider, the Departments instruct that they are not to be included in the QPA. TMA argues that this conflicts with the NSA’s mandate that the QPA include the contracted rate for the “total maximum payment” under a plan.

  4. ERISA Plan Administrator Rates. The First IFR permits self-funded plans to allow their third-party administrators to determine the QPA for the plan sponsor by using the contracted rates recognized by all self-insured group health plans administered by the third-party administrator. Alternatively, the plan sponsor may calculate the QPA using only its contracted rates, meaning the plan sponsor may determine which method results in lower QPAs and opt into that method. TMA argues that this conflicts with the language of the NSA that states that the QPA is to be determined with respects to allplans of a sponsor or all coverage offered by an issue in an insurance market.

TMA argues that these four methods operate to systematically and improperly lower the QPA and to undermine healthcare providers’ ability to obtain adequate reimbursement for their services in the IDR process. These effects are compounded by the fact that providers are not permitted to review the plans’ calculations and have limited ability to obtain information on the plans’ calculation methods. The only limited recourse providers have to challenge the calculations is to submit a complaint to the Departments, who have authority to conduct an audit of the plan. However, the Departments have stated their intention to conduct no more than nine audits annually.

TMA asserts that even if its separate challenge to the final rules implementing the IDR process is successful, the method for calculating the QPA will continue to harm providers because the QPA will remain a factor in the IDR process, and the QPA colors the whole negotiation process between payors and providers.

TMA’s complaint is available here.


CMS Urges Hospitals to Educate and Train Staff on Workplace Violence

On November 28, 2022, CMS reiterated its continued enforcement of regulatory requirements for hospitals to provide patients and staff with an environment that prioritizes their safety and urged hospitals to address workplace violence hazards. CMS emphasized that hospitals should provide adequate training, sufficient staffing levels, and assessment of patients and residents for aggressive behavior and indicators to adjust their care interventions and environment. CMS’s memorandum can be found here.

King & Spalding Webinar – Physician Practice Acquisitions Roundtable: Considerations for Negotiating on Behalf of Buyers and Sellers

King & Spalding is hosting a roundtable webinar that will take place on Thursday, December 8, 2022, at 12:00 P.M. ET.  This roundtable webinar will explore issues that frequently arise in physician practice M&A deals. Specifically, the panel will explore:

  • Market trends in acquisitions by private equity sponsors, hospitals and other acquirors;

  • Corporate practice of medicine (CPOM) restrictions and other potential legal, regulatory and tax pitfalls to consider when structuring acquisitions;

  • Restrictive covenants, terms of rollover equity, compensation, governance rights and other hot-button issues for buyers and sellers; and

  • The impact of group practice politics on the dynamics of the negotiation and tips for effectively managing the deal process.

 The webinar is free to attend. Additional information and a link to registration can be found here.