backWhite House Announces Plan to Extend and End COVID-19 Emergency Declarations
On January 30, 2023, the White House announced its plan to extend the COVID-19 national emergency and public health emergency (PHE) declarations until May 11, 2023, and then end both emergencies on that date.
In the announcement, the White House emphasized that the extension of the emergency declarations does not impose any COVID-19 restrictions on individual conduct, but instead allows for a necessary wind-down process.
The White House discussed its opposition to the enactment of H.R. 382 and H.J. Res. 7, arguing that these bills would end the emergency declarations too abruptly and cause “highly significant impacts on our nation’s health system and government operations.” This would include “wide-ranging chaos and uncertainty throughout the health care system.”
The White House further argued that during the PHE, Medicaid provided extra funding to states to ensure that Americans were able to keep their Medicaid coverage during the pandemic. If the PHE was suddenly terminated, it would put millions of Americans at risk of losing their health insurance and states at risk of losing significant funding. Additionally, the emergency declarations provide flexibility to hospitals and nursing homes that would likely suffer disruptions and revenue losses if they are not given adequate time to adjust. Patients who have come to rely on access to their physicians through telehealth would also lose access to critical care.
Ending the PHE will end the Title 42 policy at the border, which has been used to expel migrants throughout the pandemic. The White House discussed its support of terminating the Title 42 policy and lifting its restrictions, but emphasized the importance of an “orderly, predictable wind-down of Title 42, with sufficient time to put alternative policies in place.” According to the White House, lifting Title 42 without a wind-down period would also allow “thousands of migrants per day into the country immediately without the necessary policies in place.”
The White House statement can be found here.
Reporter, Lindsay Greenblatt, Los Angeles, +1 213 218 4032, lgreenblatt@kslaw.com.
FTC Proposes Enforcement Action Prohibiting GoodRx from Disclosing Users’ Health Information for Advertising
On February 1, 2023, the Federal Trade Commission (FTC) announced that it has taken enforcement action for the first time under its Health Breach Notification Rule (HBNR) against GoodRx Holdings Inc. (GoodRx), for allegedly failing to notify consumers and others about unauthorized disclosures of personal health information to advertisers and other third parties. GoodRx and the FTC have stipulated to a proposed order, which, if approved by the court, would require GoodRx to pay $1.5 million and prohibit it from sharing users’ health information with third-party advertisers.
The FTC alleges that GoodRx participated in deceptive and unfair acts in violation of the FTC Act, including allegations that GoodRx unlawfully shared its users’ personal health information with third party advertising companies, misrepresented compliance with the Digital Advertising Alliance Principles and HIPAA, failed to implement policies or procedures to protect personal health information, and failed to notify and obtain consent before the use and disclosure of health information for advertising. The FTC also alleges that GoodRx violated the HBNR with respect to notifying consumers, the FTC, and the media about unauthorized disclosure of identifiable health information.
The main basis for these allegations is GoodRx’s alleged disclosure of health-related data to advertising platforms through tracking tools, such as pixels. These tracking tools allegedly recorded and transmitted sensitive information to third parties through “events,” i.e., actions taken on GoodRx’s websites. For example, the complaint alleges that, when a user accessed a GoodRx coupon for a medication, a Facebook pixel recorded the medication name and related health condition associated with the coupon under the event names “Drug Name” and “Drug Category.” In addition to pixels that conveyed drug information, the complaint also describes another pixel on GoodRx’s telehealth website. This pixel transmitted the specific URL that a user visited within GoodRx’s treatment pages prior to beginning a telehealth consultation. The treatment page URLs directly referenced a health condition, such as ‘www.heydoctor/goodrx.com/services/hyperlipidemia,’ which linked to GoodRx’s treatment services for high cholesterol.
The government alleges that ultimately, this information sharing enabled GoodRx, through the use of digital advertisers and their platforms, to target users with advertisements based on health conditions and drug purchases associated with the user. GoodRx did not seek specific contractual assurances from digital advertisers to protect the health information. Rather, GoodRx agreed to their standard terms of use and/or entered into agreements that permitted digital advertisers to use the health information for their own internal business purposes.
DOJ and GoodRx stipulated to a proposed order, which requires court approval. The stipulated proposed order seeks a $1.5 million civil penalty and the following other restrictions against GoodRx:
- Prohibition on the sharing of health information for advertising: The proposed order would permanently enjoin GoodRx from disclosing user health information with applicable third parties for advertising purposes.
- Prohibition on the disclosure of health information without consent and notice: The proposed order would restrict GoodRx from disclosing user health information with applicable third parties for other purposes without first obtaining users’ affirmative express consent. The order would also require GoodRx to clearly and conspicuously state the categories of health information that it will disclose to third parties and the purposes for disclosure.
- Notifications after breach: The proposed order would require GoodRx to notify each individual, the FTC, and the media following the discovery of unauthorized acquisition of the individuals’ identifiable health information.
- Deletion of data: The proposed order would require GoodRx to instruct third parties to delete the consumer health data that was shared with them and inform consumers about the breaches and the FTC’s enforcement action.
- Privacy program and limited retention of data: The proposed order would require GoodRx to establish and maintain a comprehensive privacy program that includes strong safeguards to protect consumer data. The proposed order would also require GoodRx to limit how long it can retain personal and health information according to a publicly posted data retention schedule.
- Compliance reporting: If approved, the proposed order, would require GoodRx to submit annual compliance reports to the FTC.
The GoodRx complaint carries several lessons for all healthcare providers. The FTC is continuing its privacy and security enforcement focus on with respect to health information. The FTC’s enforcement has been focused on (i) health information that gets transmitted for marketing purposes, (ii) insufficient disclosure to consumers about the use of health information, and (iii) agreements with vendors that may have access to health information. It appears that the FTC expects every healthcare provider that has any online presence (e.g., websites, apps) to monitor the use and disclosure of visitor identifying information.
The FTC’s complaint is available here, and the proposed order is available here. An FTC press release announcing the proposed order is available here.
Reporters, Jason A. de Jesus, Los Angeles, +1 213 443 4343, jdejesus@kslaw.com, Igor Gorlach, Houston, +1 713 276 7326, igorlach@kslaw.com, and Sydney Teng, Atlanta, +1 404 572 4716, steng@kslaw.com.
CMS Issues Final Rule on Medicare Advantage Risk Adjustment Data Validation Program
On February 1, 2023, CMS published its final rule addressing the Medicare Advantage (MA) Risk Adjustment Data Validation (RADV) program. CMS uses RADV audits to identify whether Medicare made overpayments to MA plans by validating that the diagnoses submitted by MA organizations are properly supported by the beneficiary’s medical record. CMS estimates that it made over $15 billion in Part C overpayments in fiscal year 2021, based on 2019 payments.
Although CMS had proposed to apply extrapolation starting with payment year (PY) 2011, the final rule provides that extrapolation will instead begin with the PY 2018 audit. CMS will still collect non-extrapolated overpayments identified in audits during PYs 2011-2017, but this means some improper payments made during those years will be left uncollected. CMS’s decision came as a result of consideration of public comments regarding the timeliness of the RADV audits and operational concerns regarding the volume of active appeals.
CMS described potential audit methodologies in previous proposed rules, such as contract-level sampling and extrapolation techniques, or a specific extrapolated audit methodology based on subcohorts of enrollees. In the final rule, however, CMS announced that it will not adopt any specific extrapolation or sampling audit methodology. Instead, CMS will rely on any statistically valid method for extrapolation or sampling that it determines is best suited for a specific audit. CMS explained that it will disclose its methodology to MA organizations through Health Plan Management System memoranda or other means.
CMS also concluded for purposes of the final rule that the so-called fee-for-service (FFS) adjuster is not appropriate for use in in RADV audits and finalized the policy that CMS will not apply the FFS adjuster. CMS previously used the FFS adjuster in RADV audits to account for the difference between Medicare FFS and MA diagnosis data. MA organizations had argued, however, that Medicare FFS data is unaudited and, as a result, understates the treatment cost of various conditions. CMS explained in the preamble to the final rule that the FFS adjuster is not appropriate for two reasons. First, the actuarial equivalence provision of section 1853(a)(1)(C)(i) of the Social Security Act only applies to how CMS risk adjusts its payments to MA organizations and does not apply to the MA organizations’ obligation to return overpayments. Second, CMS explained, it would not be reasonable to read the Act as requiring a payment reduction to MA organizations by using a statutorily set minimum adjustment, while at the same time “prohibiting CMS from enforcing longstanding documentation requirements by requiring an offset to the recovery amounts calculated for CMS audits.”
CMS estimates that RADV audits will recover $4.7 billion from MA organizations from 2023 through 2032.
The Final Rule is available here, and CMS’s fact sheet is available here.
Reporter, Kasey Ashford, Washington D.C., +1 202 626 2906, kashford@kslaw.com.
King & Spalding Client Alert: DOJ Alters Standards for Information Sharing in Healthcare
On Friday, February 3, 2023, the Department of Justice (DOJ) announced that it is withdrawing three policy statements containing antitrust guidance that the department previously issued and that have been adopted by the healthcare industry for close to 30 years. DOJ has made this change without any updated replacement guidance other than to say that “[r]ecent enforcement actions and competition advocacy in healthcare provide guidance to the public, and a case-by-case enforcement approach will allow the Division to better evaluate mergers and conduct in healthcare markets that may harm competition.” The FTC is also certain to follow DOJ’s announcement with its own statement. For additional information and insight into this DOJ action, please click on the following link to read a Client Alert issued by King & Spalding antitrust lawyers. More
ALSO IN THE NEWS
Life Sciences & Healthcare Roundtable Webinar
Join us for a roundtable webinar on February 15, 2023, from noon - 1:00 P.M. Our panel will explore healthcare fraud enforcement patterns from 2022 and will discuss what to expect from the government and whistleblowers in 2023. The panel will also consider how healthcare organizations can mitigate these False Claims Act enforcement risks by implementing proactive compliance strategies. Topics for discussion include:
– DOJ and OIG enforcement initiatives focused on healthcare organizations.
– Specific enforcement trends to be covered include:
- Telehealth
- Proposed changes to the overpayment rule
- Continued pursuit of private equity investors
- Cyber breaches leading to FCA liability
- Academic medical center grant fraud enforcement
- Provider Relief Fund reporting
- Anti-Kickback Statute / Conflicts of Interest
- Strategies to reduce risk in light of enforcement trends and evolving data sources.
Please register soon. You do not have to be a client to attend, and there is no charge.
32nd Annual Health Law & Policy Forum
Join us Monday, March 20, 2023, for our annual forum focusing on the foremost legal and political developments impacting the healthcare industry. The event will be hosted at the St. Regis Atlanta Hotel.
Information regarding a room block at The St. Regis Atlanta can be found here. The group rate is available until 5 P.M. ET on Friday, February 17.
HLPF HIGHLIGHTS
- Secretary Kathleen Sebelius speaking on the future of health policy
- Leading practitioners providing policy and regulatory enforcement updates, and other industry developments
- How changes in antitrust policy and enforcement are impacting the healthcare industry
- Democrats in the Senate and Republicans in the House: Healthcare in a divided Congress
To register for this year's event, please click here.