Health Headlines – January 19, 2021

CARES Act Provider Relief Fund Reporting Requirements Updates – On January 15, 2021, HHS launched the registration process for the Provider Relief Fund Reporting Portal and announced that it would be amending the reporting timeline for payment recipients due to the recent passage of the Coronavirus Response and Relief Supplemental Appropriations Act (previously, HHS announced that the first reporting deadline for all providers on use of funds was February 15, 2021).  Additionally, on January 15, 2021, HHS published an updated Post-Payment Notice of Reporting Requirements.  Notably, the updated Notice provides payment recipients additional guidance on calculating lost revenues.

Provider Relief Fund Reporting Portal

The Provider Relief Fund Reporting Portal is open for registration to all recipients of aggregated payments greater than $10,000.  However, the Provider Relief Fund Portal is not yet open for reporting.  HRSA will later announce the window for submitting the first report on a recipient’s use of funds.  Currently, there is no deadline for completing registration in the portal, but HRSA will send a broadcast email about the next steps to the email addresses provided during the registration process.  The Provider Relief Fund Reporting Portal is available here.

Updated Post-Payment Notice of Reporting Requirements

HHS published an updated Post-Payment of Notice Reporting Requirements, which informs  Provider Relief Fund recipients who received aggregated payments greater than $10,000 of the data elements that they will be required to report as part of the post-payment reporting process. These reporting requirements are applicable to general and targeted distributions except for the Nursing Home Infection Control distributions and the Rural Health Clinic Testing distribution.  These reporting requirements also do not apply to reimbursement from the HRSA COVID-19 Claims Reimbursement to Health Care Providers and Facilities for Testing, Treatment, and Vaccine Administration for the Uninsured Program and the HRSA COVID-19 Vaccine Administration Assistance Fund.  Furthermore, this updated document supersedes previous versions of post-payment notices that HHS has published. 

Importantly, the Notice provides three options for calculating lost revenues along with the additional revenue information required for each option. 

HHS explains that recipients seeking to use an alternate methodology (Option 3) face an increased likelihood of an audit by HRSA.  HRSA will notify a recipient if its proposed methodology is not reasonable, and then the recipient must resubmit its report within 30 days of notification using either 2019 calendar year actual revenue or 2020 calendar year budgeted revenue to calculate lost revenues attributable to coronavirus.

The updated Post-Payment Notice of Reporting Requirements is available here, and HHS’ announcement of reporting updates is available here.  More information on Provider Relief Fund reporting requirements is available here.

Reporter, Ahsin Azim, Washington D.C., +1 202 626 9262, aazim@kslaw.com.

Fifth Circuit Reverses $4.3 Million HIPAA Penalty, Interprets Encryption and Disclosure Regulations Narrowly, and Criticizes Inconsistency in HIPAA Penalty Amounts – On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit (the Court) issued an opinion in a dispute between a major cancer center (the Provider) and HHS stemming from alleged violations by the Provider of HIPAA regulations.  The dispute arose from the loss of three unencrypted devices—a laptop and two flash drives—by employees of the Provider, which resulted in the imposition of a $4,348,000 penalty by the HHS Office for Civil Rights (OCR).  The Court ruled that the Provider did not violate the applicable HIPAA regulations because the Provider had a mechanism addressing encryption (even though the lost devices were not encrypted) and because the loss of devices was not an affirmative disclosure of the information to an outside entity.  The Court further concluded that HHS failed to justify variance in the imposition of penalties and promulgated penalty caps in the regulations that exceeded the statutory caps.  The Court’s opinion, coupled with the new statutory safe harbor for entities with recognized security practices, is likely to result in fewer and lower HIPAA-related penalties in the near future.

The dispute between the Provider and OCR began with the Provider’s submission of three breach notification reports to OCR in 2012 and 2013.  The first breach was caused by the theft of an employee’s laptop.  The laptop was unencrypted and contained the electronic protected health information (ePHI) for 29,021 individuals.  The other two breaches involved the loss of unencrypted USB thumb drives.  The thumb drives contained the ePHI of a total of 5,862 individuals.  In the course of the dispute between the Provider with OCR, it was determined that, prior to the breaches, the Provider intended to encrypt all portable computers and devices but delayed the implementation of this decision.

OCR alleged that the Provider violated the regulations prohibiting unauthorized disclosure of ePHI (45 C.F.R. § 164.502(a)) and requiring implementation of technical safeguards, including, when reasonable and appropriate, the encryption of ePHI (45 C.F.R. § 164.312(a)(iv)).  (Since encryption is an “addressable” requirement, an entity’s non-compliance with the encryption requirement may be permissible if the entity can explain why it is not reasonable and appropriate to implement, but the Provider did not argue that encryption is not appropriate.)  For the unauthorized disclosure of ePHI, OCR proposed penalties of $1,000 per individual affected by each of the three incidents, resulting in the maximum (under OCR’s regulations) penalties of $1,500,000 per year for 2012 and 2013 ($3,000,000 total).  For the failure to comply with the technical safeguards regulation by encrypting devices, OCR proposed penalties of $2,000 per day for the period of March 24, 2012, through January 25, 2013 ($1,348,000 total).

On appeal to the administrative law judge (ALJ), the Provider argued that it complied with the regulations and that the fact that the devices were not encrypted was the result of personnel’s defiance of the policies.  However, the ALJ concluded that “undisputed material facts establish that Petitioner failed to comply with” the two regulations OCR charged it with violating, finding the Provider’s encryption initiatives to be “half-hearted” and “incomplete.”  The ALJ also approved the penalties and noted that it does not have the authority to review whether OCR’s regulations were authorized by the statute.  The HHS Departmental Appeals Board largely affirmed the conclusions and decision of the ALJ. 

With the Board’s decision in hand, the Provider filed a petition to the Court, arguing, inter alia, that it did not violate the regulations, that HHS’ imposition of penalties was arbitrary and capricious because it was inconsistent, and that HHS’s interpretation of its penalty authority was contrary to the statutory language.  After the Provider filed its petition, HHS conceded that, under the statutory language, it could not defend its penalty and asked the Court to reduce the penalty by a factor of 10 to $450,000.  HHS also then published a “Notice of Enforcement Discretion Regarding HIPAA Civil Money Penalties,” stating that it had misinterpreted the statutory penalty limits when promulgating the regulations, and “the better reading of the HITECH Act” is to apply significantly lower penalty limits, reducing the relevant annual limit for the Provider’s “reasonable-cause” violation from $1,500,000 to $100,000.  HHS stated that it would exercise enforcement discretion to comply with these caps.

However, the Court concluded that even the reduced penalty was arbitrary, capricious, and otherwise unlawful.   The Court based its conclusion on four reasons:

• The HIPAA regulatory provision addressing encryption (45 C.F.R. § 164.312(a)(2)(iv)) requires that an entity implement a “mechanism” to encrypt ePHI.  The regulations do not specify beyond this requirement.  The Provider’s mechanism was evidenced by its information resources acceptable use agreement and user acknowledgment for employees, which directed users to encrypt portable devices, and by the Provider’s provision of encryption software to personnel.  Since the regulations are silent on the mechanism’s required effectiveness and enforcement, an ineffective or poorly-enforced mechanism does not result in a violation of the regulatory requirement.  
• Under the HIPAA regulatory provisions prohibiting unauthorized “disclosure” of ePHI (45 C.F.R. §§ 164.502(a), 160.103), the government must prove that the disclosure was affirmative by the entity to a specific someone outside of the entity.  The loss of information is not an affirmative disclosure to an outside person. 
• HHS may not enforce CMPs against some entities but not others without providing justification showing that, while each case is evaluated on its facts, the agency treats like cases alike.  
• The HHS regulations’ establishment of penalty caps that are significantly higher than those permitted by the statute tainted the ALJ and Board decisions by creating the impression that HHS was authorized to impose higher penalties. 

While the decision is a significant blow to OCR’s enforcement efforts, the failures cited by the Court are all self-inflicted, and can be addressed by HHS in the future.  It is clear that HHS will be required to amend its penalties regulations and institute certain parameters for the imposition of monetary penalties.  HHS may also choose to revisit its regulations addressing encryption and prohibiting unauthorized disclosures of ePHI to ensure that the regulatory language reflects the agency’s stance more accurately.  Thus, this case can result in an overdue update to the HIPAA regulations. 

The Court’s opinion coincides with the enactment of the new statutory safe harbor at 42 U.S.C. § 17941 (enacted on January 5, 2021), directing HHS to consider an entity’s information security practices in the preceding year that may mitigate fines, result in an early favorable termination of an audit, and mitigate the remedies in an agreement between and entity and HHS resolving potential violations of the HIPAA Security Rule.  The new safe harbor and the Court’s opinion will likely result in fewer and lower HIPAA-related penalties.  However, providers may need to seek reliance on the safe harbor proactively.

The case is The University of Texas MD Anderson Cancer Center v. U.S. Department of Health and Human Services, Case No. 19-60226, U.S. Court of Appeals for the Fifth Circuit, and the Court’s opinion is available here.

Reporters, Igor Gorlach, Houston, +1 713 276 7326, igorlach@kslaw.com, and Adam Solander, Washington, D.C., +1 202 626 5542, asolander@kslaw.com.

HHS Final Rule Strengthens Limitations on Department’s Use of Guidance Documents – On January 12, 2021, HHS released a final rule that clarifies how the department may rely on guidance documents, including in the context of civil enforcement actions (the Final Rule).  The Final Rule also establishes procedural requirements that apply to civil enforcement actions, administrative inspections, and jurisdictional determinations that are intended to increase fairness and transparency.  Subject to certain exceptions, the Final Rule also gives parties the opportunity to be heard before HHS may take a civil enforcement action.  The Final Rule is effective immediately and applies to all divisions of HHS.

The Final Rule supplements the HHS Good Guidance Practices final rule, released on December 3, 2020, which was intended to help ensure the public receives notice of new guidance documents and that new guidance does not impose obligations that are not reflected in existing statutes or regulations. The Final Rule also implements Executive Order 13892, “Promoting the Rule of Law Through Transparency and Fairness in Civil Administrative Enforcement and Adjudication,” which was published on October 15, 2019.

Reliance on Guidance Documents

The Final Rule prohibits HHS from using guidance documents to impose binding requirements or prohibitions, except as expressly authorized by law or incorporated into a contract.  HHS is also prohibited from treating noncompliance with a standard or practice announced solely in a guidance document as a violation of a statute or regulation, except as expressly authorized by law.  With respect to the prohibition of conduct, guidance documents that explain the applicability of a statute or regulation may only articulate how such laws apply in particular circumstances.  Finally, HHS may cite a guidance document in a civil enforcement action only if it has provided advance notice of the document through publication in the department’s guidance repository, located here (Guidance Repository).

The Final Rule defines a “civil enforcement action” as “an action with legal consequence taken by [HHS] based on an alleged violation of law,” such as an administrative enforcement proceeding or an enforcement adjudication.  The term “legal consequence” is defined as “an action that directly or indirectly affects substantive legal rights or obligations, including by subjecting a regulated party to a potential liability in an enforcement action.”

Fairness and Notice in Civil Enforcement Actions and Administrative Inspections

In civil enforcement actions, HHS may only apply standards or practices that have been publicly stated in a manner that would not cause “unfair surprise.”  An “unfair surprise” is defined as “a lack of reasonable certainty or fair warning, from the perspective of a reasonably prudent member of [a] regulated industry, of what a legal standard administrated by an agency requires.”  HHS is also required to avoid unfair surprise when it imposes penalties or adjudges past conduct to have violated the law.  In addition, HHS is required to conduct civil administrative inspections according to published rules of agency procedure.

Fairness and Notice in Jurisdictional Determinations  

If HHS relies on a decision in an agency adjudication, administrative order, or agency document to assert a new or expanded claim of jurisdiction (e.g., a claim to regulate a new subject matter or a new basis for liability), HHS must publish the initial decision in the Federal Register or the Guidance Repository.  The publication must predate the occurrence of the conduct over which HHS seeks jurisdiction.  If HHS intends to rely on a brief, consent decree, settlement agreement, or other document arising out of litigation (other than a published decision) to establish jurisdiction in future civil enforcement actions involving persons who were not parties to the litigation, then HHS must publish the document and an explanation of its jurisdictional implications.  These publication requirements also apply where HHS intends to seek judicial deference to the agency’s interpretation of a document arising out of litigation to establish a new or expanded claim of jurisdiction in a different case.

Opportunity to Contest Adverse Determinations

Before HHS can take a civil enforcement action that has legal consequences for an entity (e.g., issuing a notice of noncompliance), the department must provide written notice to the entity about the legal and factual determinations underpinning the initial determination.  HHS must provide the entity with an opportunity to respond.  At the request of the entity, HHS must provide a written response that articulates the basis for the department’s final decision.  These procedural requirements are subject to certain exceptions.  For example, HHS is not required to provide a prior opportunity to be heard where there is an emergency or the department is statutorily authorized to proceed without such a prior opportunity. 

The Final Rule is available here.

Reporter, Kyle Gotchy, Sacramento, +1 916 321 4809, kgotchy@kslaw.com.

CMS Issues Final Notice of Benefit and Payment Parameters for 2022 – On January 14, 2021, CMS issued the final annual Notice of Benefit and Payment Parameters for the 2022 plan year applicable to states, American Health Benefit Exchanges (Exchanges), and health insurance issuers in the individual and small group markets (the Final Notice).  The Final Notice allows states to bypass the use of federal or state-based Exchange websites by allowing states to facilitate enrollment through approved private-sector, direct enrollment entities, such as web brokers and Qualified Health Plan (QHP) issuers.  The Final Notice also reduces user fees for federal and state-based Exchanges for 2022, codifies prior guidance issued in 2018 regarding Section 1332 waivers, clarifies network adequacy standards with respect to QHPs that do not use provider networks, and updates standards related to QHP issuers’ acceptance of premium payments for consumers covered through certain Health Reimbursement Arrangements (HRAs).

The Final Notice did not include all of the standards included in the proposed Notice of Benefit and Payment Parameters for 2022.  CMS expects to address other proposals in a second final rule to be published at a later date.  The following is an overview of the provisions in the Final Notice.

Establishment of the Exchange Direct Enrollment Option

CMS finalized a proposal to establish a new Exchange direct enrollment option (DE option) under which a state Exchange, a state-based Exchange on the federal platform (SBE-FP), or a federally facilitated Exchange (FFE) state may elect to rely on direct enrollment to offer QHPs to individual market consumers.  Under the DE option, instead of operating a centralized enrollment website, states may (with HHS approval) use direct enrollment technology and non-Exchange websites developed by approved web brokers, issuers, and other direct enrollment partners to enroll qualified individuals in QHPs offered through the Exchange.  Exchanges would continue to be responsible for meeting (and ensuring their approved DE partners meet) all applicable statutory and regulatory requirements governing application for and enrollment in QHPs, making all determinations of whether an applicant is eligible for QHP enrollment, and sharing eligibility determination and enrollment information with issuers and HHS.  In connection with the DE option, the Exchange would also be required to make available a website listing basic QHP information for comparison and providing links to approved partner websites for consumer shopping, plan selection, and enrollment activities.  For SBE-FP and FFE states approved to implement the DE option, HealthCare.gov will continue to provide the same standardized comparative QHP information available today.

CMS believes the new DE option will “allow states to continue to more effectively exercise their traditional oversight authority over health insurance markets, while enhancing the consumer experience, increasing competition, and lowering costs.”  CMS noted that nearly all commenters cautioned about potential harmful impacts to consumers from the introduction of the DE option.  For example, commenters asserted that the DE option may effectively eliminate access to HealthCare.gov and state Exchange websites, which existing consumers have relied on, and result in a new, fragmented process likely to lead to consumer confusion and mistrust.  Commenters also stated that the negative impacts of effectively eliminating the Exchange-run enrollment websites as an option would outweigh the benefits of the new DE option.  In its response, CMS acknowledged that while any transition or change can be unsettling and disruptive, it disagreed that the potential negative impacts of the DE option outweigh the benefits.  CMS noted that the DE option is not a requirement for states and that states have ample flexibility to tailor operational needs and any transition steps to the needs of their healthcare markets.

Under the Final Notice, the DE option may be implemented in states with a traditional state Exchange beginning in plan year 2022.  The DE option may be implemented in states with an FFE or SBE-FP beginning in plan year 2023.  For an FFE or SBE-FP state that is approved by HHS and elects to implement the DE option for the 2023 plan year, HHS will collect user fees from issuers participating in the Exchange at the rate of 1.5% of premiums charged.

User Fee Rates for the 2022 Benefit Year

For the 2022 benefit year, CMS will reduce the user fee for QHPs sold through an FFE from 3% to 2.25% of premiums.  The 2022 FFE user fee rate reflects a 0.75% reduction from the 3% FFE user fee CMS established for benefit years 2020 and 2021, and a 1.25% reduction from the 3.5% FFE user fee rate established for benefit years 2014 through 2019.  For issuers offering QHPs through an SBE-FP, CMS will reduce the user fee rate from 2.5% to 1.75% of premiums for the 2022 benefit year.

Codification of Policies and Interpretations Outlined in the 2018 State Relief and Empowerment Waivers Guidance

The Final Notice codifies into regulation many of the policies and interpretations outlined by HHS and the Department of the Treasury (collectively, the Departments) in the 2018 State Relief and Empowerment Waivers guidance (2018 Guidance), published here in the Federal Register.  As previously reported here, the 2018 Guidance provided states with expanded flexibility with respect to how a state may meet the standards for obtaining a waiver under Section 1332 of the Patient Protection and Affordable Care Act (ACA).  For example, the Departments’ “more flexible” interpretation of Section 1332 focuses on access to coverage, rather than coverage actually purchased by residents, within the statutory guardrails.  It also allows states “to provide access to less comprehensive or less affordable coverage as an additional option.”  In codifying the 2018 Guidance, the Final Notice states that the Departments sought to provide states with consistency and predictability regarding how the Departments will apply Section 1332 to determine whether applications for waivers will be approved and certainty that the requirements and expectations of the Section 1332 program will not change abruptly or without notice and an opportunity to comment. 

Network Adequacy Standards

CMS finalized proposed revisions to 45 C.F.R. § 156.230 governing network adequacy standards for plans seeking certification as QHPs in response to questions it received regarding whether 45 C.F.R. § 156.230 requirements apply to a plan that does not vary benefits based on whether enrollees receive services from an in-network or out-of-network provider.  CMS stated that nothing in the Affordable Care Act (ACA) requires a QHP issuer to use a provider network, and 45 C.F.R. § 156.230 does not impose any network adequacy certification requirements for QHPs that do not use a provider network.  To address any ambiguity, CMS codified its interpretation under 45 C.F.R. § 156.230(f) that a plan that does not vary benefits based on whether the issuer has a network participation agreement with a provider that furnishes covered services is not required to comply with the network adequacy standards under 45 C.F.R. § 156.230(a)-(e) to qualify for certification as a QHP. 

CMS noted that certain commenters sought to clarify whether plans that do not utilize a provider network must comply with other QHP certification and market-wide requirements.  In response, CMS stated that the final provision does not add to, change, or remove any QHP certification requirements or any requirement for these plans to comply with the market reform provisions under title I of the ACA, and that such plans must still comply with all applicable QHP certification requirements to obtain QHP certification. 

QHP Issuers’ Acceptance of Premium Payments for Consumers Covered Through Certain HRAs

Under 45 C.F.R. § 156.1240(a), QHP issuers are required to accept a variety of payment methods so that individuals without a bank account or credit card have readily available options for making monthly premium payments.  CMS finalized a revision to 45 C.F.R. § 156.1240(a) to require that individual market QHP issuers must also accept payments made by or on behalf of an enrollee using funds from an individual coverage HRA or qualified small employer HRA (QSEHRA), when such payments are made using a payment method described in 45 C.F.R. § 156.1240(a)(2).  CMS clarified that this revision does not require QHP issuers to accept such payments when made using a method of payment not described in 45 C.F.R. § 156.1240(a)(2) or to accept aggregate payments from an individual coverage HRA or QSEHRA made on behalf of multiple enrollees.  

The full text of the Final Notice is available here.  These regulations become effective on March 15, 2021.  For a copy of CMS’s press release regarding the Final Notice, please click here.  CMS also issued a fact sheet regarding the Final Notice, available here.

Reporter, John Whittaker, Sacramento, +1 916 321 4808, jwhittaker@kslaw.com.

ALSO IN THE NEWS:

CMS Issues the 2022 Medicare Advantage and Part D Final Rule – On June 2, 2020, CMS issued the Medicare Advantage and Part D final rule for Contract Year 2022.  A fact sheet about the rule is available here.  The full text of the rule is available here. 

King & Spalding Webinar - Recalculating: Major Stark, Anti-Kickback and CMP Final Rule Changes Are Taking Us in a New Direction  (Part 3) – Part 3 of King & Spalding’s three-part webinar about the recently finalized changes to the Stark Law rules, the Anti-Kickback Statute (AKS) safe harbors, and the Beneficiary Inducements Civil Monetary Penalties (CMP) regulations will be presented on Thursday, January 21, 2021 from 1:00 – 2:00 p.m. ET.  Part 3 will explore how future enforcement theories and litigation of False Claims Act cases with Relators and the Department of Justice may evolve based primarily on changes to the Stark Law concepts of indirect compensation arrangements, taking into account the volume or value of referrals, fair market value, and commercial reasonableness.  Information about the content of each part of this series is available here.  Registration for the event is available here.

King & Spalding Webinar - An Update on Payer Specialty Pharmacy Policies, How the Industry is Responding to Them, and What is at Stake for Hospitals – King & Spalding will host a webinar on Tuesday, January 26, 2021 from 12:00 pm to 1:00 pm ET.  Following up on the November 2020 presentation titled “Challenging Payers’ New Specialty Pharmacy Policies that Reduce Payment to Hospitals,” this webinar will discuss the latest developments with respect to payers’ implementation of white-bagging policies, how the industry has been responding to and challenging these policies, and the financial stakes for hospitals.  The presenters will also discuss the results of targeted survey sent to hospitals regarding the rollout of the white-bagging policies.  Registration for the event is available here.