News & Insights

News & Insights

Newsletter

January 6, 2025

Health Headlines January 6, 2025

FEATURED ARTICLES

OCR Proposes Updates to Strengthen the HIPAA Security Rule—On December 27, 2024, the Office for Civil Rights (OCR) at HHS issued a Notice of Proposed Rulemaking (the Proposed Rule) intended to update the Security Rule under the Health Insurance Portability and Accountability Act (HIPAA). The Security Rule establishes national standards for the protection of individuals’ electronic protected health information (ePHI) by covered entities, which include health plans, health care clearinghouses, and most health care providers, and business associates. OCR administers and enforces the Security Rule. The Proposed Rule was published in the Federal Register today, and comments on the Proposed Rule are due by March 7, 2025.

The Security Rule was originally published in 2003 and was most recently significantly updated in 2013. Citing both changes in technology and an increase in the number of individuals affected by cyberattacks involving ePHI, the 465-page Proposed Rule includes updates to the Security Rule, some of which create new obligations and requirements for stakeholders to comply.  These updates cover a wide spectrum of cybersecurity areas, including:

  • requiring that each covered entity and business associate document the policies and procedures it has implemented to comply with the Security Rule, and as part of that documentation, explain how it considered the factors at 45 C.F.R. § 164.306(b) (pertaining to the flexibility of approach in deciding which measures to use) in the development of its policies and procedures;
  • modernizing definitions and language used in the Security Rule to reflect updates in technology;
  • increasing requirements for planning and responding to cybersecurity incidents;
  • requiring multifactor authentication;
  • requiring encryption of ePHI in transit and at rest;
  • requiring business associates and subcontractors to notify covered health entities no later than twenty-four hours after a cybersecurity contingency plan has been activated; and
  • requiring that business associates and subcontractors provide written verification to the covered entity and the business associate, respectively, once every twelve months of their compliance with the Security Rule.

The Proposed Rule, published in the final days of the Biden Administration, is subject to modification or rescission by the incoming Trump Administration. It also asks for input from the public and affected health entities, which could also result in changes to the final rule. However, the stated motivations for the Proposed Rule —advances in technology and the rising risk and widespread impact of cyberattacks—are ones that are shared across the political spectrum.

For example, the new regulations proposed in the Proposed Rule impacting business associates and subcontractors are part of an increased focus on supply chain risks, which are seen across agencies and may very well survive the administration change. The Proposed Rule would require covered entities and upstream business associates to obtain written verification every twelve months from business associates and subcontractors, respectively, that the verifying entity has deployed the “required technical safeguards” in the Security Rule. That annual verification must include a written analysis of the relevant electronic information systems and be done by a knowledgeable person with authority to act on behalf of the business associate or subcontractor.

Finally, the Proposed Rule also appears to clarify an issue of regulatory interpretation, which may be in response to a recent Fifth Circuit decision, University of Texas M.D. Anderson Cancer Center v. U.S. Department of Health and Human Services, 985 F.3d 472, 478 (5th Cir. 2021), which interpreted the Security Rule’s requirements to have a “mechanism” for encryption of ePHI. In that case, the Fifth Circuit held that a covered entity can meet its obligations under the Security Rule concerning encryption and decryption of ePHI by implementing a mechanism to do so, without regard for the effectiveness of the implementation of that mechanism. The Security Rule’s current language requires covered entities and business associates to implement a “mechanism” to comply with multiple sections of the rule. The Proposed Rule would revise that language throughout the Security Rule to clarify that having an ineffective “mechanism” is not compliant with the Security Rule.

If a final rule is published, it would be effective sixty days after publication, and covered entities would have 180 days after publication to comply with the final rule.

 

The Proposed Rule is available here, and the OCR Fact Sheet accompanying the issuance of the Proposed Rule is available here.

Reporters, Sara Brinkmann, Houston, +1 713 751 3279, sbrinkmann@kslaw.com, and Michael Galdo, Austin, +1 512 457 2081, mgaldo@kslaw.com.

__________________

 OIG Issues a Favorable Advisory Opinion to a Pharmaceutical Manufacturer Regarding Free Transportation, Lodging and Support for Patients and Caregivers—On December 31, 2024, OIG posted Advisory Opinion No. 24-13, a favorable advisory opinion allowing a pharmaceutical manufacturer (the Requestor) to offer free transportation, lodging, and other support to eligible patients and their caregivers.

Background

The Requestor manufactures a one-time, potentially curative immunotherapy product (the Product) for patients who have tried and failed at least one alternative treatment option. The Product is manufactured using a patient’s tumor sample, which can only be collected at an approved treatment center (a Treatment Center). While the tumor is collected (the Tissue-Procurement Phase), the patient must stay at the Treatment Center between one and five days. The Product is then manufactured, and the patient must return to the Treatment Center for the administration phase of treatment (the Administration Phase). The Administration Phase requires seven days to complete. After the treatment process, it is recommended that the patient stays within two hours of the Treatment Center for several weeks for post-treatment monitoring (the Post-Treatment Phase). In total, the average time spent by patients for the Tissue-Procurement Phase, Administration Phase, and Post-Treatment Phase is approximately one month in which patients must remain near the Treatment Center, but patients may spend a second month near the Treatment Center in some instances.

The Product is only available at a limited number of Treatment Centers because few treatment centers have the expertise and training required to administer the Product. Requestor lists the Treatment Centers on its website, and Requestor provides information about Treatment Centers geographically closest to patients requesting information about Treatment Centers. Although Requestor believes that the number of Treatment Centers will increase over time, Requestor does not anticipate that Treatment Centers will be available in every state. Given the limited number of Treatment Centers, some inquiring patients would need to travel long distances to reach a Treatment Center.

The Proposed Arrangement

Requestor currently offers free transportation, lodging, and support for meals and other travel expenses to eligible patients and their caregivers (the Arrangement). The Arrangement is offered to patients, including federal healthcare program enrollees, who meet the following criteria: (1) those who are residents of the United States or a U.S. Territory; (2) those whose income is at or below 600 percent of the Federal Poverty Level; (3) those who meet program distance requirements (described below); and (4) those who have an on-label prescription for the Product. Prior to offering the Arrangement to a patient, Requestor must first determine that the patient cannot receive assistance for travel, lodging, meals, or other expenses from another source.

The Arrangement is offered to eligible patients during all three phases of the treatment process. Each eligible patient and one caregiver are offered the following: (i) round-trip airfare for patients and caregivers living 300 miles or more from either the nearest Treatment Center or the Treatment Center with which the patient has already established a treatment relationship; (ii) ground transportation costs for patients and caregivers living between 100 miles and 300 miles, or the mileage equivalent of two hours driving distance from the Treatment Center; (iii) one room at a modest hotel for patients and caregivers living more than 100 miles or two hours driving distance from the Treatment Center; and (iv) up to $50 per person per day to cover meals and authorized travel expenses.

Other than providing a general overview of the Arrangement to Treatment Centers to potential referring physicians and patients, Requestor does not advertise the Arrangement. Requestor also does not use the Arrangement as a marketing tool, nor does it require treating physicians or a Treatment Center to prescribe or use the Product exclusively.

OIG’s Determination

OIG determined that although the Arrangement would result in remuneration that would implicate the Anti-Kickback Statute, OIG will not impose administrative sanctions on the Requestor in connection with the Arrangement.

OIG considered the following factors when making its determination:

  1. The Arrangement removes financial and geographic barriers to medically necessary care that is provided by Treatment Centers. The Arrangement facilitates access to the care provided at Treatment Centers for patients who may live a significant distance from a Treatment Center or who may not be able to otherwise afford the treatment.
  2. The Product is a one-time, potentially curative treatment, so it is unlike the problematic seeding arrangements that provide free products or remuneration for an initial dose in order to induce patients to continue purchasing the drug product when it would be payable by a federal healthcare program.
  3. The Arrangement includes safeguards to mitigate the fraud and abuse risk under the Anti-Kickback Statute. These safeguards include the requirement that patients are determined to be ineligible for assistance from other sources, the lack of advertising of the Arrangement, and the fact that Requestor does not require referring physicians or Treatment Centers to exclusively prescribe or use the Product.

OIG also found that the Arrangement would not generate prohibited remuneration under the Beneficiary Inducements CMP because the Arrangement meets the promotes access to care exception to the Beneficiary Inducements CMP. OIG concluded the exception is satisfied because the provision of travel, lodging, meals, and associated expenses could remove or reduce potential financial and geographic barriers to receiving treatment, and the Arrangement poses a low risk of harm to Medicare and Medicaid beneficiaries.

The full text of OIG Advisory Opinion No. 24-13 is available here.

Reporter, Sophie Mouros, Houston, +713 276 7370, smouros@kslaw.com

__________________

OIG Audit Finds That Medicare Could Achieve Significant Savings if Critical Access Hospital Payments for Swing-Bed Services Were Similar to Those of the FFS Prospective Payment System—On January 3, 2025, OIG posted the results of an audit that found that Medicare could have saved $7.7 billion if critical access hospitals’ (CAH) payments for swing-bed services were similar to those of the fee-for-service (FFS) prospective payment system. CAHs were established by the Rural Flexibility Program under the Balanced Budget Act of 1997 and provide hospital services to enrollees located in rural areas. CMS may also grant a CAH approval to provide swing-bed services in its inpatient beds, which include services similar to those offered at skilled nursing facilities (SNFs). Under the Rural Flexibility Program, Medicare reimburses CAHs at 101% of their reasonable costs. On the other hand, the Medicare prospective payment system and Medicare fee schedules are used to reimburse alternative facilities, including SNFs and acute care hospitals that offer skilled nursing services.

In the audit, OIG found that swing-bed use for skilled nursing services increased about 2.8% from 2015 through 2020, while the average daily reimbursement for swing-bed services increased by 16.6% over the same timeframe. OIG also considered data from a sample of one-hundred CAHs and found that 87 out of the 100 CAHs were within 35 miles of an alternative facility that had the same skilled nursing services available. OIG recommended that CMS seek a legislative change to allow CAH reimbursement rates to be reimbursed at the rate of alternative facilities when similar services are available at alternative facilities. CMS cannot alter CAH payment on its own, but rather needs legislative action.

CMS did not concur with OIG’s recommendation. CMS expressed concerns about OIG’s methodology of determining the availability of skilled nursing services at alternative facilities and the impact of payment reductions to CAHs on rural communities.

A copy of OIG’s report is available here.

Reporter, Priya Sinha, Atlanta, +1 404 572 3548, psinha@kslaw.com.

 

Editors: Chris Kenny and Kate Stern

Issue Editors: Elizabeth Key and Dennis Mkrtchian

Related
Life Sciences and Healthcare FDA and Life Sciences Data, Privacy and Security Healthcare