January 2016

On January 27, 2016, the Centers for Medicare and Medicaid Services (CMS) issued a final rule requiring documentation of face-to-face encounters for physicians ordering home health services and certain medical equipment for Medicaid beneficiaries as required by the Patient Protection and Affordable Care Act of 2010. While the final rule becomes effective on July 1, 2016, CMS is delaying compliance until July 1, 2017 for states whose legislatures meet in 2016 or until July 1, 2018 for all other states.

On January 21, 2016, the Centers for Medicare and Medicaid Services (CMS) published the final rule with comment period titled “Medicaid Program; Covered Outpatient Drugs.” In the final rule, CMS implements provisions of the Affordable Care Act (ACA) pertaining to Medicaid reimbursement for covered outpatient drugs (CODs) and revises key requirements related to the Medicaid Drug Rebate (MDR) program.

On January 15, 2016, the U.S. Food and Drug Administration (“FDA”) released draft guidance entitled, “Postmarket Management of Cybersecurity in Medical Devices,” outlining recommendations to medical device manufacturers for managing postmarket cybersecurity vulnerabilities for marketed medical devices.  The FDA stresses that an effective cybersecurity  risk management program should address potential cybersecurity risks throughout the product’s entire lifecycle.   The draft guidance addresses the shared concerns of the FDA, manufacturers, providers, and consumers about the risks to the safety and efficacy of medical devices and private patient data and the difficulties in detecting new cybersecurity threats.  The 2016 draft guidance builds on premarket approval cybersecurity risk management recommendations published by the FDA in its 2014 guidance.

At a recent DC Bar program called “The Use of Data by the OIG-DHHS and CMS/CPI in Medicare Program Integrity, Investigations and Compliance,” representatives from CMS and the OIG provided their perspectives on the evolving capabilities of government agencies to review and analyze large datasets related to the provision and reimbursement of healthcare services.

CMS announced that it has updated the Sunshine Act / Open Payments dataset to reflect (1) changes made to records, (2) changes to delays in publication flags, (3) changes to disputed records, and (4) deleted records. 

On January 6, 2015, the Office for Civil Rights (OCR) of the United States Department of Health and Human Services (HHS) issued a final rule modifying certain provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The modifications grant to certain covered entities a narrowly tailored permission to disclose limited information concerning individuals subject to the Federal mental health prohibitor, as needed for National Instant Criminal Background Check System (NICS) reporting.

The University of Washington Medicine (“UWM”) has agreed to settle charges that it violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule for US$ 750,000, following a breach report first submitted by UWM on November 27, 2013. In addition to settlement, UWM has entered into a Resolution Agreement with the United States Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) and has entered into and agreed to comply with a Corrective Action Plan (“CAP”).

As part of the Australian Government’s digital health agenda, the Health Legislation Amendment (eHealth) Act 2015 (the Act) has recently been assented to.  The personally controlled electronic health record (PCEHR) system was launched in July 2012.  eHealth records are an online summary of an individuals’ health information.  The individual controls what is included in the record and who can access it, and the eHealth record allows the individual and his or her doctors, hospitals and other healthcare providers to view and share the individual’s health information.