Long before enactment of HIPAA, substance use disorder (“SUD”) treatment records have enjoyed confidentiality protections under 42 C.F.R. Part 2 (“Part 2”). Since HIPAA/HITECH and related regulations went into effect, SUD treatment providers that are subject to Part 2 (“Part 2 programs”) have struggled to make sense of the inconsistencies between Part 2 and HIPAA. For example, Part 2 programs cannot rely on HIPPA’s treatment, payment or health care operations exception to the authorization requirement because Part 2 is more restrictive than HIPAA and only permits disclosure of Part 2 records without a consent under limited circumstances. These types of inconsistencies, historically, have created numerous operational burdens for Part 2 programs and impeded care coordination.

Part 2 plays an important role to help address concerns that discrimination and fear of prosecution would deter individuals from seeking SUD treatment. It has been challenging for regulators to balance the heightened need for confidentiality of SUD treatment records with the need for sufficient operational flexibility to allow for effective care coordination and treatment.

HHS issued a Notice of Proposed Rulemaking (“NPRM”) proposing rules that implement statutory amendments to section 290dd-2 of title 42 United States Code (42 U.S.C. § 290dd-2) enacted in section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act. Public comments on the NPRM were due by January 31, 2023. HHS is proposing to give providers 24 months to comply with the changes after the publication of the final rule, but it has welcomed comments on whether that compliance period is sufficient.[i]Continue Reading New Proposed Part 2 Rules Aim for Greater HIPAA Alignment

The Employee Benefits Security Administration (EBSA) of the Department of Labor (DOL) and the Department of Treasury and Internal Revenue Service (IRS) issued a notification of relief, effective immediately, that extends certain critical deadlines in health, disability, and other welfare plans (Deadline Relief).[1] This Deadline Relief requires that these plans extend certain deadlines that affect plan participants, beneficiaries, claimants and Consolidated Omnibus Budget Reconciliation Act (COBRA) qualified beneficiaries, by disregarding days during the COVID-19 “Outbreak Period” from counting toward statutory and regulatory timeframes.

The Outbreak Period began on March 1, 2020 and lasts until 60 days after the announced end of the “National Emergency” period for COVID-19 that was declared by the President.

These deadline extensions will impact employer plan sponsors, administrators and insurers.
Continue Reading Important Deadlines Delayed for Health and Welfare Plans due to COVID-19 Emergency: Impacts for Employer Plan Sponsors, Administrators, and Insurers

On March 13, 2020, President Donald Trump issued a proclamation declaring a national emergency concerning the novel coronavirus disease (the “Emergency Declaration”).  The president framed the emergency declaration as empowering the Secretary of Health and Human Services (“HHS”) to waive “laws to enable telehealth,” which gave providers hope that the administration would remove some of the primary regulatory barriers to the broad implementation of telehealth services. In the days since the declaration, the administration has taken increasingly significant steps to do just that.

The Emergency Declaration authorized the Secretary of HHS to exercise his waiver authority under Section 1135 of the Social Security Act (42 U.S.C. § 1320b–5). Section 1135 empowers the Secretary to waive or modify only certain provisions under Medicare, Medicaid, the Children’s Health Insurance Program (“CHIP”), and the Health Insurance Portability and Accountability Act (“HIPAA”) during a national emergency.  Congress broadened these waiver authorities in the emergency supplemental appropriations bill, signed into law on March 6, which gave the Secretary additional authority under Section 1135 to loosen Medicare’s telehealth billing standards. It also specifically allowed the Secretary to waive the requirement that the beneficiary live in a rural area and receive the services at an approved remote site, such as a rural hospital.Continue Reading CMS Takes Significant Action to Spur Use of Telehealth Services for Duration of COVID-19 Emergency

The Office of Civil Rights (OCR) announced in a press release this week that Anthem, Inc. (Anthem), one of the nation’s largest health benefit companies, has agreed to pay $16 million and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. This settlement