News & Insights


July 24, 2023

Health Headlines – July 24, 2023

House Committee Approves Transparency in Billing Act That Would Require Unique Health Identifiers for Off-Campus Outpatient Departments – On July 12, 2023, the House Committee on Education and the Workforce approved the Transparency in Billing Act (the Bill), which would require commercial insurance plans to reject hospital claims for outpatient services furnished in off-campus outpatient departments unless they include a unique national provider identifier (NPI) associated with the department where the service was furnished.

The Bill would amend Section 901 of the Employment Retirement Income Security Act of 1974 (ERISA) by adding additional billing requirements for the payment of services furnished at an off-campus outpatient department of a provider. The Bill would require hospitals to obtain a separate unique NPI and use that identifier on each claim for the department where the items and services were provided. A process for reporting suspected violations of these requirements would be established within a year of the enactment of these billing requirements.

The Bill would also amend Section 502 of ERISA by adding a civil monetary penalty against a hospital for violating Section 901. Hospitals with thirty beds or less could be fined up to $300 per day that a violation occurs. Hospitals with more than thirty beds could be fined up to $5,500 per day that a violation occurs. 

While the Bill’s prospects for passage by the full Congress remain unclear, this development marks yet another instance of legislative scrutiny on hospital outpatient billing. Earlier this year, House committees held hearings on several new bills aiming to expand site neutrality in Medicare billing. However, this Bill would go beyond a focus on governmental payors and address hospital outpatient billing of private payors.

The Bill can be found here.

Reporter, Lindsay Greenblatt, Los Angeles, +1 213 218 4032,

OCR and FTC Issue Letter to Hospital Systems and Telehealth Providers Emphasizing Privacy and Security Risks Related to Online Tracking Technologies – On July 20, 2023, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) sent a letter to approximately 130 hospital systems and telehealth providers warning that online tracking technologies that may be present on their websites or mobile applications may impermissibly disclose consumers’ sensitive personal health information to third parties in ways that are unavoidable and often unknown to users, and that may violate applicable law.

Online Tracking Technologies

OCR and FTC advise that online tracking technologies, such as the Meta/Facebook pixel and Google Analytics, can track a user’s online activities. The two agencies caution that online tracking technologies may continue to gather identifiable information about users even after the users navigate away from the original website to other websites and that they can gather identifiable information about users without their knowledge and in ways that are difficult for users to avoid.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

The HIPAA Privacy, Security, and Breach Notification Rules apply when a covered entity or business associate regulated under HIPAA collects or discloses protected health information (PHI) to third parties, such as tracking technology vendors. In the joint letter, the agencies remind entities covered by HIPAA of their responsibilities to protect against unauthorized disclosure of PHI and advise that covered entities and business associates are not permitted to use tracking technologies in a way that would impermissibly disclose PHI to third parties or any other violations of the HIPAA rules.

FTC Act and FTC Health Breach Notification Rule

The agencies also advise that for entities not regulated by HIPAA, unauthorized disclosure of personal health information can violate the FTC Act and constitute a breach of security under the FTC’s Health Breach Notification Rule, even when relying on a third party to develop a website or mobile app and even if information obtained through use of a tracking technology is not used for any marketing purposes. The agencies highlight the importance of monitoring data flows of health information to third parties via online technologies that are integrated into entities’ websites and mobile applications.

A copy of the OCR and FTC joint letter is available here. OCR guidance materials on the use of online tracking technologies are available here.

Reporter, Jason A. de Jesus, Los Angeles, +1 213 443 4343,