Proposed Protections for Patient Data Related to Reproductive Care

On April 12, 2023, the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services (HHS) proposed a new rule to strengthen HIPAA protections related to reproductive health care privacy. The proposed rule is in response to President Biden’s executive order 14076, which directed HHS to assess additional actions, including actions under HIPAA, that HHS can take to increase protections for sensitive patient information related to reproductive health care and bolster patient-provider confidentiality. The proposed rule would strengthen privacy protections by prohibiting the use of disclosure of PHI by a regulated entity for either of the following purposes: 1) a criminal, civil, or administrative investigation into or proceeding against any person in connection with, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided; and 2) the identification of any person for the purpose of initiating such investigations or proceedings. This proposal would protect individuals regarding out-of-state investigations if the health care provided is legal in the state where it occurred and also if the health care is expressly protected, required, or authorized under federal law. The proposed rule can be viewed here, and comments are due to HHS no later than June 16, 2023.

Expiration of HIPAA Enforcement Discretion

During the COVID-19 public health emergency (PHE) the OCR issues several bulletins outlining how the agency would apply the HIPAA privacy, security, breach notification, and enforcement rules in various circumstances during the PHE. OCR exercised its enforcement discretion in order to support the health care sector in responding to the PHE, particularly with regard to quickly implementing telehealth capabilities. To coincide with the end of the PHE, OCR announced the expiration of certain enforcement discretion notification. The following OCR notifications expired on May 11, 2023:

• Enforcement Discretion Regarding COVID-19 Community-Based Testing Sites During the COVID-19 Nationwide Public Health Emergency
• Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency
• Enforcement Discretion Under HIPAA to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19
• Enforcement Discretion Regarding Online or Web-based Scheduling Applications for the Scheduling of Individual Appointments for COVID-19 Vaccination During the COVID-19 Nationwide Public Health Emergency

Covered entities will have 90 days to come into compliance with the applicable HIPAA rules for their telehealth services. This 90-day transition period will expire on August 9, 2023.

Expiration of OIG Enforcement Discretion

Similarly, the Office of Inspector General (OIG) exercised its enforcement discretion during the PHE and recently announced that two related Policy Statements and FAQs designed to provide flexibility and minimize burdens for health care providers during the PHE will expire on May 11, 2023. The following Policy Statements and FAQs will no longer be in effect and should not be relied upon by health care providers:

• OIG Policy Statement Regarding Physicians and Other Practitioners that Reduce or Waiver Amounts Owed by Federal Health Care Program Beneficiaries for Telehealth Services During the 2019 Novel Coronavirus (COVID-19) Outbreak
• OIG Policy Statement Regarding Application of Certain Administrative Enforcement Authorities due to Declaration of Coronavirus Disease 2019 (COVID-19) Outbreak in the United States as a National Emergency
• FAQs-Application of OIG’s Administrative Enforcement Authorities to Arrangements Directly Connected to the Coronavirus Disease 2019 (COVID-19) Public Health Emergency

Proposed Medicaid Managed Care Rulemaking

On May 3, 2023, the Centers for Medicare & Medicaid Services (CMS) published a proposed rule in the Federal Register that introduces significant changes to existing Medicaid managed care and Children’s Health Insurance Program (CHIP) regulations. This is the most expansive proposed rule regarding Medicaid managed care since CMS’ overhaul of the Medicaid managed care regulations in 2016. The proposed rule addresses a number of areas, including access requirements, requirements with respect to quality, and permissions regarding “in lieu of” services. Additionally, CMS is proposing numerous changes to the State directed payment regulations, which permit States to direct certain Medicaid managed care expenditures within the established regulatory parameters. Since authorizing State-directed payments in its 2016 rule, CMS has seen tremendous growth in the number of states pursuing these programs. States sought CMS approval for 36 State-directed payment programs in 2017, and that number has increased to 298 proposed programs in 2022.