Long before enactment of HIPAA, substance use disorder (“SUD”) treatment records have enjoyed confidentiality protections under 42 C.F.R. Part 2 (“Part 2”). Since HIPAA/HITECH and related regulations went into effect, SUD treatment providers that are subject to Part 2 (“Part 2 programs”) have struggled to make sense of the inconsistencies between Part 2 and HIPAA. For example, Part 2 programs cannot rely on HIPPA’s treatment, payment or health care operations exception to the authorization requirement because Part 2 is more restrictive than HIPAA and only permits disclosure of Part 2 records without a consent under limited circumstances. These types of inconsistencies, historically, have created numerous operational burdens for Part 2 programs and impeded care coordination.

Part 2 plays an important role to help address concerns that discrimination and fear of prosecution would deter individuals from seeking SUD treatment. It has been challenging for regulators to balance the heightened need for confidentiality of SUD treatment records with the need for sufficient operational flexibility to allow for effective care coordination and treatment.

HHS issued a Notice of Proposed Rulemaking (“NPRM”) proposing rules that implement statutory amendments to section 290dd-2 of title 42 United States Code (42 U.S.C. § 290dd-2) enacted in section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act. Public comments on the NPRM were due by January 31, 2023. HHS is proposing to give providers 24 months to comply with the changes after the publication of the final rule, but it has welcomed comments on whether that compliance period is sufficient.[i]Continue Reading New Proposed Part 2 Rules Aim for Greater HIPAA Alignment

Any provider who participates in the Medicaid program knows that it risks committing fraud if it bills twice for the same service.  Unfortunately, Certified Community Behavioral Health Clinics (CCBHCs) that are also Federally Qualified Health Centers (FQHCs) have been incorrectly advised by the Centers for Medicare & Medicaid & Services (CMS) to do just that. 

CCBHCs are entities that were created by a Substance Abuse and Mental Health Services Administration (SAMHSA) demonstration project to improve the availability and quality of services provided in community mental health centers.  Once certified, the CCBHC is required to offer a specific range of services and meet standards for service.  The model is intended to ensure access to coordinated comprehensive behavioral health care.  CCBHCs are paid similar to FQHCs using a Prospective Payment System (PPS) rate that is based on certain costs to provide CCBHC services. Continue Reading Certified Community Behavioral Health Clinics Beware! 

The Employee Benefits Security Administration (EBSA) of the Department of Labor (DOL) and the Department of Treasury and Internal Revenue Service (IRS) issued a notification of relief, effective immediately, that extends certain critical deadlines in health, disability, and other welfare plans (Deadline Relief).[1] This Deadline Relief requires that these plans extend certain deadlines that affect plan participants, beneficiaries, claimants and Consolidated Omnibus Budget Reconciliation Act (COBRA) qualified beneficiaries, by disregarding days during the COVID-19 “Outbreak Period” from counting toward statutory and regulatory timeframes.

The Outbreak Period began on March 1, 2020 and lasts until 60 days after the announced end of the “National Emergency” period for COVID-19 that was declared by the President.

These deadline extensions will impact employer plan sponsors, administrators and insurers.
Continue Reading Important Deadlines Delayed for Health and Welfare Plans due to COVID-19 Emergency: Impacts for Employer Plan Sponsors, Administrators, and Insurers

On March 13, 2020, President Donald Trump issued a proclamation declaring a national emergency concerning the novel coronavirus disease (the “Emergency Declaration”).  The president framed the emergency declaration as empowering the Secretary of Health and Human Services (“HHS”) to waive “laws to enable telehealth,” which gave providers hope that the administration would remove some of the primary regulatory barriers to the broad implementation of telehealth services. In the days since the declaration, the administration has taken increasingly significant steps to do just that.

The Emergency Declaration authorized the Secretary of HHS to exercise his waiver authority under Section 1135 of the Social Security Act (42 U.S.C. § 1320b–5). Section 1135 empowers the Secretary to waive or modify only certain provisions under Medicare, Medicaid, the Children’s Health Insurance Program (“CHIP”), and the Health Insurance Portability and Accountability Act (“HIPAA”) during a national emergency.  Congress broadened these waiver authorities in the emergency supplemental appropriations bill, signed into law on March 6, which gave the Secretary additional authority under Section 1135 to loosen Medicare’s telehealth billing standards. It also specifically allowed the Secretary to waive the requirement that the beneficiary live in a rural area and receive the services at an approved remote site, such as a rural hospital.Continue Reading CMS Takes Significant Action to Spur Use of Telehealth Services for Duration of COVID-19 Emergency

In a recent Cybercrime Tactics and Techniques Report focusing on the health care industry, cybersecurity company Malwarebytes discovered a significant 82% spike in Trojan malware attacks on health care organizations in Q3 2019. Emotet and TrickBot, two especially sophisticated and dangerous forms of malware, were mostly responsible for this surge.

Used primarily as ’banking Trojans” to steal credentials and financial information, these intrusive, fast-replicating Trojans spread quickly. Emotet is polymorphic, which makes it difficult for traditional antivirus solutions to detect.  It worms its way through a network, generally using phishing emails from compromised systems to spread as quickly as possible. Once it’s infected enough computers, it will “drop” (install) other malicious programs, especially TrickBot, which has all sorts of modular, built-in tools to discover system information, compromise that system and steal data.

The presence of either of these Trojans on a network is a serious threat. Both of these Trojans are closely related; where you see one, you often see the other. To help visualize how they work, think about them like a team of professional robbers:

  • Emotet is the ‘strike team’ hired to get Trickbot through as many doors as possible, by exploiting vulnerabilities or by stealing keys
  • Trickbot is the professional ‘safe-cracking team’ the Emotet strike team gets in the door
  • Trickbot might install ransomware to collect a ransom, or maybe just cover their tracks when they’re done. When it installs ransomware, it’s often Ryuk.

Continue Reading Trickbot and Emotet Financial Malware Now Attacking the Healthcare Industry

In late January, the U.S. Department of Health and Human Services’ Healthcare & Public Health Sector Coordinating Council issued a new cybersecurity guidance document for healthcare businesses of all sizes. The guidance document, entitled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” available at https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx, provides concrete and practical guidance for addressing what the Council has identified as the “most impactful threats . . . within the industry” and serves as a renewed call to action for implementation of appropriate cybersecurity practices. This document is critical reading for healthcare business managers faced with ever-increasing cybersecurity risks and the attending risks to patient safety and operational continuity, business reputation, financial stability, and regulatory compliance.
Continue Reading HHS Issues Practical New Cybersecurity Guidance for Healthcare Businesses of all Sizes

The Office of Civil Rights (OCR) announced in a press release this week that Anthem, Inc. (Anthem), one of the nation’s largest health benefit companies, has agreed to pay $16 million and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. This settlement