New Proposed Part 2 Rules Aim for Greater HIPAA Alignment

Long before enactment of HIPAA, substance use disorder (“SUD”) treatment records have enjoyed confidentiality protections under 42 C.F.R. Part 2 (“Part 2”). Since HIPAA/HITECH and related regulations went into effect, SUD treatment providers that are subject to Part 2 (“Part 2 programs”) have struggled to make sense of the inconsistencies between Part 2 and HIPAA. For example, Part 2 programs cannot rely on HIPPA’s treatment, payment or health care operations exception to the authorization requirement because Part 2 is more restrictive than HIPAA and only permits disclosure of Part 2 records without a consent under limited circumstances. These types of inconsistencies, historically, have created numerous operational burdens for Part 2 programs and impeded care coordination.

Part 2 plays an important role to help address concerns that discrimination and fear of prosecution would deter individuals from seeking SUD treatment. It has been challenging for regulators to balance the heightened need for confidentiality of SUD treatment records with the need for sufficient operational flexibility to allow for effective care coordination and treatment.

HHS issued a Notice of Proposed Rulemaking (“NPRM”) proposing rules that implement statutory amendments to section 290dd-2 of title 42 United States Code (42 U.S.C. § 290dd-2) enacted in section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act. Public comments on the NPRM were due by January 31, 2023. HHS is proposing to give providers 24 months to comply with the changes after the publication of the final rule, but it has welcomed comments on whether that compliance period is sufficient.[i]

Continue Reading

Telehealth Safe Harbor Extended

High deductible health plan (“HDHP”) sponsors take note: the Continuing Appropriations Act, 2023 (“CAA23”) temporarily extends the flexibility for HDHPs to provide pre-deductible coverage of telehealth services without affecting the ability to contribute to a HDHP participant’s Health Savings Account (“HSA”).

As we discussed, due to relief first provided in the CARES Act and then extended in Consolidated Appropriations Act, 2022 (“CAA22”), HDHP participants were permitted to receive pre-deductible coverage of telehealth and remote care services during the COVID-19 pandemic without adversely affecting their ability to make or receive contributions to an HSA, except for a few months in the beginning of 2022. This relief was set to expire on December 31, 2022. CAA23 extends this relief through plan years that begin before January 1, 2025.

To continue to offer telehealth services in accordance with the safe harbor or add this benefit, action items for HDHP sponsors include:

  • Adopt plan amendments to document the availability of this benefit.
  • Communicate to participants that this benefit is still available or is newly available. This could require revisions to communications sent prior to CAA23, such as open enrollment materials. Changes to a group health plan’s coverage of telehealth services must be communicated to plan participants in accordance with applicable law.
  • Sponsors of non-calendar year HDHPs should consider how the extension of the safe harbor applies to months of the 2022 plan year that fall in 2023. There appears to be a gap in the relief for these months.

Plan sponsors with questions on the particulars of how this relief applies to them are encouraged to contact a member of the Stoel Rives LLP Employee Benefits practice group.

CMS Issues Final Rule Authorizing Extrapolation as Part of RADV Audits

As a result of a new rule published on February 1, 2023, at 88 Fed. Reg. 6643, Medicare Advantage (MA) organizations soon will be facing enhanced exposure from Risk Adjustment Data Validation (RADV) audits. Under the new rule, effective for audits of payment years 2018 and after, Centers for Medicare & Medicaid Services (CMS) will use extrapolation to calculate MA organizations’ repayment obligations based on RADV audit findings. While CMS did not adopt any specific extrapolation methodology and plans to use methodologies appropriate to the specific audit, it will be focused on contracts identified as being high-risk for improper payments using statistical modeling, data analytics, or both. CMS does commit to disclosing the extrapolation methodology used in connection with any particular audit so that MA organizations will know how their repayment obligation was calculated. Notwithstanding its prior proposal to do so (, CMS did not adopt a Fee-For-Service Adjuster in RADV Audits.  Relying on a recent D.C. Circuit decision, CMS takes the position that the obligation to report and return overpayments is not subject to the “actuarial equivalence” provision of the statute (42 U.S.C. § 1395w-23(a)(1)(C)) that applies to the risk adjustment payment methodology. UnitedHealthcare Ins. Co. v. Becerra, 16 F.4th 867, 885-86 (D.C. Cir. 2021), cert denied, 142 S. Ct. 2851 (2022).

CMS believes that as much as 7% of total aggregate payments made to MA organizations constitute overpayments and expects the new rule to recover more than $479 million in excess payments when implemented in full in 2025.  The new rule is certain to be challenged in court; nonetheless, MA organizations would be well-advised to continue efforts to shore up and enhance compliance programs and procedures to minimize or avoid errors in coding submissions.

Certified Community Behavioral Health Clinics Beware! 

Any provider who participates in the Medicaid program knows that it risks committing fraud if it bills twice for the same service.  Unfortunately, Certified Community Behavioral Health Clinics (CCBHCs) that are also Federally Qualified Health Centers (FQHCs) have been incorrectly advised by the Centers for Medicare & Medicaid & Services (CMS) to do just that. 

CCBHCs are entities that were created by a Substance Abuse and Mental Health Services Administration (SAMHSA) demonstration project to improve the availability and quality of services provided in community mental health centers.  Once certified, the CCBHC is required to offer a specific range of services and meet standards for service.  The model is intended to ensure access to coordinated comprehensive behavioral health care.  CCBHCs are paid similar to FQHCs using a Prospective Payment System (PPS) rate that is based on certain costs to provide CCBHC services. 

In 2016, CMS issued detailed guidance to CCBHCs concerning the PPS rate that unfortunately included some incorrect guidance directed to those CCBHCs that were also FQHCs.  In that guidance (which can still be found on SAMHSA’s website here), CMS strongly implied that CCBHCs could bill the same encounter twice – once using its CCBHC rate and once using its FQHC rate.  The guidance stated as follows:

3.0a FQHCs
A clinic that participates in the Medicaid program as both a FQHC and CCBHC should receive the CCBHC PPS rate whenever it provides any of the services covered by this demonstration, even if there is an overlap with services included in the clinic’s FQHC PPS rate. The state should continue to pay the health center its established FQHC PPS rate and does not need to modify the payment amount. If a clinic user received a CCBHC service and FQHC service during one encounter/visit the provider is eligible to receive both the CCBHC PPS and the FQHC PPS.

This gave the wrong impression that a CCBHC could get paid twice for the same service if it was also an FQHC.  At the very least, it is unclear because it seems to assume without stating that a “CCBHC service” will never overlap with an “FQHC service,” which is simply not the case.  Many FQHCs provide services that are included in the costs used to establish their PPS rates that are also services that would be used to establish their PPS rate if they were certified as a CCBHC. 

Fortunately, in 2021, the federal Government Accountability Office (GAO) issued a report highlighting this problem.  When GAO sought comment from CMS, CMS indicated that it intended to state that CCBHCs are only eligible for both payments if nonoverlapping services are provided.  See page 30 of Medicaid Behavioral Health CMS Guidance Needed to Better Align Demonstration Payment Rates with Costs and Prevent Duplication (Sept. 2021).  CMS explained, for example, that “a CCBHC also certified as an FQHC may provide mental health counseling and a dental cleaning for the same client on the same day” and two payments would be appropriate.  But “a client with mental health counseling and a primary care screening service on the same day should not trigger both types of payments, because both of these services are already included in CCBHC prospective payment rates. In this case, CMS officials told us states should pay only the CCBHC rate.”  Id.

CCBHCs relying on the 2016 guidance and billing twice for the same encounter should consider whether they have identified an overpayment that must be reported and returned to the state Medicaid agency.  42 C.F.R. § 401.305.  Failure to report and return an overpayment within sixty (60) days of identification can result in an ordinary overpayment being treated as a false claim potentially subject to penalties of up to triple the amount of the overpayment plus $12,000 to $25,000 per claim.  One would hope that under these circumstances the state Medicaid agency would take into account the unclear CMS guidance provided when determining how to resolve such a self-report.

Is Any Pandemic Relief Still Available for Employee Benefit Plans?

Though much of U.S. government-sponsored pandemic relief has expired as the country approaches it third new year since its first reported cases of COVID-19, pandemic-related law changes exist that continue to impact employee benefit plans, and it is important that plan sponsors and administrators pay close attention to these changes as the new year approaches. In a recent article for the Daily Journal of Commerce, we discuss several special relief provisions that directly or indirectly affect group health plans. You can read the full article here.

Originally published as an Op-Ed by the Oregon Daily Journal of Commerce on November 4, 2022.

Department of Health (“DOH”) Has Issued Material Updates to Rules Governing Coordinated Quality Improvement Program (“CQIP”) Approval

Many health care entities took a “set it and forget it” approach to their CQIPs once the CQIPs were approved by DOH under regulations adopted in 2006.  Beginning tomorrow, such entities will need to reconsider their approach.  DOH has published significant changes to its regulations regarding approval of CQIPs that are operated by health care entities such as provider groups, health care facilities that are not hospitals, and health care plans.  In light of the revisions to WAC Chapter 246-50, health care entities should review the contents of their CQIPs regularly and establish new mechanisms for managing CQIPs.

The new regulations as adopted are available at:

The final rule that shows the regulatory changes can be found at:

Requirements for Obtaining and Maintaining Approval for a CQIP

The new rule becomes effective May 21, 2021, and requires health care entities to:

  • Apply for renewed approval of their current CQIPs by December 31, 2021, and pay a $75 renewal fee;
  • Request renewed DOH approval for their CQIPs every five years thereafter;
  • Notify DOH within 30 days if there is a change in the entity’s “authorized representative” who submitted the application for new or renewed approval; and
  • Modify their CQIPs within six months to comply with any future changes to CQIP requirements adopted by DOH or the Washington legislature and to seek DOH approval for the modifications.

If a health care entity does not apply for renewed approval on a timely basis, the existing approval for the CQIP lapses, and the entity must submit a new application for approval.  This scenario may be a trap for unwary organizations that overlook the renewal date.  Quality improvement and peer review records created during the interim period between the expiration of approval and a new application may not be considered privileged and confidential in the same way they would be while the CQIP approval is in effect.  During that interim period, individuals who provide information or participate in peer review and quality improvement activities may not enjoy the immunity protections provided for under the statute that authorized the DOH approval process, RCW 43.70.510.

Health care entities should consider adopting measures to mitigate the effects of lapsed approvals such as participating in a patient safety organization (“PSO”), that offers additional protection under the Health Care Quality Improvement Act of 1986, and requiring contractors to represent that their CQIPs are in good standing with DOH.

Although all health care entities must apply for renewed approval for their CQIPs by the end of the year, they need not worry about the consequences of any delay caused by the volume of renewal requests.  Current CQIP approval remains in place while a renewal application is under DOH review.  However, a health care entity that intends to seek new approval for a CQIP should apply as soon as possible to avoid delays caused by a potential backlog of renewal applications. Continue Reading

Stoel Rives’ Health Care Attorneys Contribute to PBJ ‘Health Care of the Future’ Special Publication

Stoel Rives recently continued its long-time sponsorship of the  Portland Business Journal Health Care of the Future awards. A special publication for the awards includes a collaboration by Stoel Rives’ attorneys Todd Hanchett, Tim Hatfield, Kelly Knivila and Sarah Oyer on an article addressing four current trends in health care.  Topics covered include behavioral health services, value-based purchasing, telehealth and employment-related issues.  Read the full article here.

Department of Labor Narrows FFCRA Exemption for Health Care Providers

The Department of Labor (DOL) recently modified its guidance regarding leave under the Families First Coronavirus Response Act (FFCRA). These changes pertain to the applicability of FFCRA leave to employees of health care providers. The changes – which take effect on September 16, 2020 – are a response, in part, to a recent New York federal district court opinion invalidating some of the DOL’s prior guidance. (See here.)

The DOL narrowed the applicability of the FFCRA exemption for health care providers. Under the new guidance, not all employees of health care providers are exempt from FFCRA. Only the following employees may be excluded: (1) licensed doctors of medicine, nurse practitioners, chiropractors, dentists, and others permitted to issue FMLA certifications under 29 C.F.R. 825.125; and (2) employees who provide diagnostic, preventive, or treatment services, or “other services that are integrated with and necessary to the provision of patient care and, if not provided, would adversely impact patient care.” This exemption includes, among others, nurses, medical technicians, and laboratory technicians. We recommend that health care providers seeking to exempt some employees from FFCRA talk to their legal counsel about whether the exemption applies.

The DOL encourages health care providers to minimize use of the exemption to the extent possible in order to prevent the spread of COVID-19. Employers may choose to allow some types of FFCRA leave (e.g., leave for employees with COVID-19 symptoms) and not others (e.g., childcare leave).

Part 2 Amendments Facilitate Care Coordination Activities of Substance Use Disorder Treatment Programs

On July 15, 2020, the Substance Abuse and Mental Health Services Administration (SAMHSA) made substantial changes to the permitted uses and disclosures of substance use disorder (SUD) records for programs covered by 42 C.F.R. Part 2. The stated intent of the final rule is to facilitate the provision of well-coordinated SUD care. The rules do indeed appear to remove regulatory barriers that have made it difficult for SUD providers to engage in the type of care coordination activities that are increasingly common outside the substance abuse context.

Perhaps the most significant change to the rules is the expansion and clarification of the permitted uses and disclosures for the purposes of “health care operations.”  A Part 2 program has long been able to obtain patient consent for the use and disclosure of substance abuse information for “payment and/or health care operations.” Previously, however, the relevant rules explicitly stated that “health care operations” cannot include disclosures “to carry out other purposes such as substance use disorder patient diagnosis, treatment, or referral for treatment.” 83 Fed. Reg. 239-01, 243 (Jan. 3, 2018). SAMHSA specifically advised that this language meant that the term “health care operations” is “not intended to cover care coordination or case management.” Id.

Through these recent rule changes, SAMHSA effectively has reversed this guidance and now defines the term “health care operations” to include any “payment/health care operation activities not expressly prohibited,” including “care coordination and/or case management services.” This more closely aligns with the definition of “health care operations” found in HIPAA and will allow the disclosure of SUD records to entities that perform care coordination services. It also will allow such entities to disclose such records to its contractors or legal representatives for health care operations. We note, however, that any disclosure for health care operations still will require specific patient authorization. 42 C.F.R. § 2.31. Continue Reading

Non-Urgent and Elective Procedures Update: Oregon and Washington Ease Prohibitions

In a previous Health Law Insider blog post, Stoel Rives’ health care team discussed the prohibition on elective procedures promulgated by Oregon and Washington in an effort to conserve the states’ supply of Personal Protective Equipment (“PPE”) and manage provider treatment capacity to ensure adequate resources were available to combat COVID-19. Recently, Oregon and Washington issued guidance permitting providers to gradually restart the provision of elective and non-emergent procedures.[1] As discussed below, Washington also released interpretive guidance to help providers determine how to assess “harm” to the patient that would help determine which procedures are urgent such that they are permitted under the “critical care phase” described in Governor Inslee’s Proclamation 20-24.1.

Additionally, Minnesota recently eased its prohibitions on non-urgent and elective procedures. For information regarding Minnesota’s order, please refer to our earlier client alert.


Oregon’s requirements for resumption of elective and non-emergent procedures are onerous and differ based on the provider type. Prior to resuming elective and non-emergent procedures, hospitals and ambulatory surgical centers (“ASC”), must:

  • Ensure that they have adequate bed and workforce capacity to “accommodate an increase in COVID-19 hospitalizations in addition to increased post-procedure hospitalizations.” Specifically, hospital bed (i.e., ICU, step-down, and medical/surgical beds) availability in the region must be maintained at or below 20% and providers must have sufficient capacity to treat all hospitalized patients “without resorting to crises standard of care”;
  • Attest that they are maintaining a 30-day PPE supply on hand (two-week supply and an “open supply chain” is sufficient for “small facilities”);[2]
  • Be able to obtain “sustained PPE supply” without the triggering PPE-conserving measures;
  • Hospitals must provide a daily PPE supplies report to the Oregon Health Authority’s hospital capacity web system;
  • Have adequate access to COVID-19 testing capacity that provides results within two days (four days for smaller facilities) and consider testing patients before performing non-emergent or elective procedures;
  • Have strict infection control and visitation policies in place; and
  • Have sufficient resources for peri-operative care (e.g., pre- and post-operative provider visits; lab, radiology, and pathology services; and other ancillary services).

Continue Reading